Burp Suite for HMAC signature

August 8, 2018 | Views: 2742

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

How to Set Up Extensions and Session Handling for HMAC Signature

In this tutorial, we are going to see how to add a Python script to Burp extender and set up the session handling rule to run the extender.

Things that we need:

Modify the Python Script

I did some modifications to the script because I want to use the header, timestamp, and body for creating the HMAC Header. I also, for some reason, cannot seem to make the createHmac definition to work properly.

from burp import IBurpExtender

from burp import ISessionHandlingAction

from burp import IParameter

from java.io import PrintWriter

from datetime import datetime

import hashlib

import hmac

import base64

import sys

class BurpExtender(IBurpExtender, ISessionHandlingAction):


    # implement IBurpExtender


    #update me:

    global key;

    def registerExtenderCallbacks(self, callbacks):

        stdout = PrintWriter(callbacks.getStdout(), True)

        self._callbacks = callbacks

        self._helpers = callbacks.getHelpers()

        callbacks.setExtensionName(“HMAC Header”)

        stdout.println(“HMAC Header register”)


        stdout.println(“Session handling”)


    def getActionName(self):

        return “HMAC Header”

    #def createHmac(message):

    #    stdout = PrintWriter(self._callbacks.getStdout(), True)

    #    stdout.println(“createHmac”)

    #    Print(“creating hmac”)

    #    msg = bytes(message).encode(‘utf-8’)

    #    #stdout.println(“message: ” + msg)

    #    Print(“message: ” + msg)

    #    #stdout.println(“key: ” + b64decode(key))

    #    Print(“key: ” + b64decode(key))

    #    _hmac = base64.b64encode(hmac.new(b64decode(key), msg, digestmod=hashlib.sha256).digest())

    #    Print(_hmac)

    #    #stdout.println(“hmac: “+_hmac)

    #    return _hmac

    def performAction(self, currentRequest, macroItems):

      #key need to be change with the HMAC key that is used for the encryption

        key = “fuM0sCVI/EGFcAAAAlQqsdMmRRRRC2/iLqCWK7khdpU=”;

        stdout = PrintWriter(self._callbacks.getStdout(), True)


        requestInfo = self._helpers.analyzeRequest(currentRequest)

        #acquire token and timestamp

        headers = requestInfo.getHeaders()

        for header in headers:

            if(header.split(” “)[0]==”Authorization:”):

                token=header.split(” “)[2]

            elif(header.split(” “)[0]==”Timestamp:”):

                timestamp=header.split(” “)[1]

       #acquire body

        msgBody = currentRequest.getRequest()[requestInfo.getBodyOffset():]

        msg=(”.join(chr(i) for i in msgBody))

        msg=(((msg.replace(” “,””)).replace(“n”,””)).replace(“r”,””)).replace(” “,””)

        hashstring = token +”:”+ timestamp +”:”+ msg

        hashstring = bytes(hashstring).encode(‘utf-8’)


        _hmac = base64.b64encode(hmac.new(key, hashstring, digestmod=hashlib.sha256).digest())


        #headers.add(‘HMAC-Signature: %s’ % _hmac)


        for header in headers:

            if(header.split(” “)[0]==”HMAC-Signature:”):

                headers[i]=”HMAC-Signature: “+ _hmac


        # Build new Http Message with the new Hash Header

        message = self._helpers.buildHttpMessage(headers, msgBody)


        # Print Header into UI

        #print self._helpers.bytesToString(message)

        # Update Request with New Header



Setting Up Burp Suite Extender

After we have the script, we then upload it to Burp Suite. We are going to upload the script to Burp extender so we can run it when the session handling finds the invalid session, run macro, then the script.

  1. Open Burp Suite.
  2. We are going to use the temporary project (free version). Just follow the wizard until there are tabs showing on the window.
  3. Find the “Extender” tab and click it.
  4. Next, we are going to click “Add.”
  5. Load Burp Extension. A window will open up.
  6. Choose “Python” as the “Extension type.”
  7. Select the Python script for the “Extension file.”
  8. Then click “next.”
  9. If everything goes as planned (fingers crossed), we will see “HMAC Header Register” and “Session Handling” as the Output for loading the script.
  10. Click close.
  11. We will see “HMAC Header Script” as an option for Burp Extensions.
  12. Make sure the ”Loaded” and “Extension Loaded” at the bottom are checked.

Setting Up Session Handling

In this section, we will create a rule for session handling with an empty macro. Basically, we are creating a rule which will find the invalid session (403 on the header) and then run macro (which is empty, so skip), which in turn will run the script on the defined scope at the Target scope.

  1. Click the “Project options” tab.
  2. Then click the “Session” tab in the Project options tab.
  3. Click “Add” to open “Session Handling Rule Editor.”
  4. Enter “HMAC Header” as the Rule Description (This should be the same with the getActionName return in the script.) def getActionName(self):       return “HMAC Header”
  5. Click “Add” on the “Rule Action.” Then choose “Check session is valid”  to open the “Session Handling Action Editor” window.
  6. Check “HTTP Headers” and uncheck “URL of redirection target” at the Location(s).
  7. Enter “403” for the “Look for expression” and switch “Match indicates” to “Invalid session.”
  8. Scroll down a little and check “if session is invalid, perform….”
  9. Select “Run a macro.” Then click “Add.”
  10. When the “Macro Editor” opens up, just click “OK.”
  11. Check “After running the macro, invoke burp extensions action handler.”
  12. If we uploaded the script (and the script works), then we will see the script name on the dropdown (ex. HMAC Header).
  13. After that, we click the “Scope” tab at the top of the window.
  14. Check all “Tool Scope” so this rule will be applied to all Burp functions.
  15. Choose “Use Suite Scope.” I tried to use the custom scope but it didn’t work.
  16. Click OK; then we will see the rule in the Session Handling Rules option.

Testing the HMAC Script

Add packet, which responds 403 to the repeater. When we click on GO, the session handling rule will be applied and create the HMAC-Signature header, which will be sent to the server.

Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?