Skip to main content

Black Hat Tools Arsenal: Burp-Hash Plugin – Part 1

August 04, 2015

One day a few months back, teammates Matt South and Tim MalcomVetter reviewed a report from an application security assessment performed by another teammate, Scott Johnson. These reviews occur as part of our normal quality assurance process, but it’s always interesting, and even fun, when a teammate comes across a rare type of vulnerability. In this case, Scott tested an internet-facing web application belonging to one of our company’s clients, and he discovered a flaw in the way the web application handled password resets. On the surface, it appeared to be similar to many other web apps: if you forgot your password, you could simply tell the web app your email address and have it mail you a link to reset your password. This, at least in theory, “proves” you are the user since you control the email account. The link in the email takes the user back to the web app with a URL. Something like:

https://www.example.com/reset?email=user@example.com&key=b4c9a289323b21a01c3e940f150eb9b8c542587f1abfd8f0e1cc1ffc5e475514

Normally, it’s fairly common for penetration testers to see this and just assume that a long dynamic hexadecimal string in the URL is encrypted with a sufficiently strong algorithm and a key only known by the server— so good luck attacking that. However, Scott observed that it looked to be the same number of characters long as a common cryptographic hash algorithm: SHA-256. With piqued curiosity, Scott tried hashing the email parameter, “user@example.com.” Then the unbelievable happened: it was a perfect match to the dynamic hexadecimal string in the URL. From there, of course, it was a simple matter of exploiting the helpful error messages on the application’s login pages to enumerate valid email addresses. This is easy when apps are polite, saying things like: “Email address not found. Would you like to sign up?” and “Invalid password. Need to reset your password?” If you don’t get the “Would you like to sign up?” message, you just found a valid user’s email address.

While the application had intended to prove that the user clicked the link in the password reset email, the truth is that the server had no way of knowing if a password reset email had even been sent to that email address. There was no application state—just an email address and its hash. So, an attacker could reset any user’s password simply by hashing their email address, without the user ever getting an email with a password reset link in it.

Our client fixed the issue and we validated the fix, but it left us wondering: with something so subtle, have we ever missed that before? The three of us decided to create a tool to automatically find this vulnerability, should it ever happen again. Since Burp Suite Pro is our favorite tool for testing web applications, especially since it has a good way to extend functionality with its plugin API, we began designing a plugin before the pixels on our report edits were dry. Thus, Burp-Hash was born: a Burp Suite plugin that locates cryptographic hashes in web applications, hashes observed parameters, and saves penetration testers the hassle of manually discovering if any observed parameters match the observed hashes.

Stay tuned to our next blog in this series for details on how Burp-Hash works or check out our Burp-Hash demo at the Black Hat Tools Arsenal on Wednesday, August 5th from 3:30 to 6:00 PM. See you there!


    Scott Johnson

By: Scott Johnson

Security Consultant

See More

Related Blogs

December 17, 2015

Bypassing CSRF Tokens via XSS

Many web development platforms provide libraries that handle the creation and validation of tokens with each HTTP request to prevent Cross Site Reques...

See Details

August 31, 2015

Black Hat Tools Arsenal: Burp-Hash Plugin, Part 2 - How it Works

This is a follow-up post about our Burp-Hash plugin for the Burp Suite that we presented at the Black Hat USA Tools Arsenal. You can read the backstor...

See Details

August 03, 2012

Three Areas of Change at Black Hat

Black Hat is changing. It is pretty evident when you walk the vendor floor and see some of the event and session attendees. A lot of folks are talking...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

Related Insights

September 25, 2014

"Shellshock" Vulnerability in Bash Allows Unauthorized, Remote Code Execution

On September 24, a critical vulnerability - CVE-2014-6271 - was made public. This vulnerability, dubbed “Shellshock,” exposes a weakness in which cert...

See Details

May 09, 2018

Application Security Capabilities Brief

Optiv AppSec services reduce security risks by helping organizations design and build mature application security programs.

See Details

June 08, 2018

Programmatic Penetration Testing Services

Programmatic penetration testing helps validate your existing security programs by identifying, prioritizing and remediating vulnerabilities through a...

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.