Black Hat Tools Arsenal: Burp-Hash Plugin – Part 1

By Scott Johnson, Tim MalcomVetter, Matt South ·

One day a few months back, teammates Matt South and Tim MalcomVetter reviewed a report from an application security assessment performed by another teammate, Scott Johnson. These reviews occur as part of our normal quality assurance process, but it’s always interesting, and even fun, when a teammate comes across a rare type of vulnerability. In this case, Scott tested an internet-facing web application belonging to one of our company’s clients, and he discovered a flaw in the way the web application handled password resets. On the surface, it appeared to be similar to many other web apps: if you forgot your password, you could simply tell the web app your email address and have it mail you a link to reset your password. This, at least in theory, “proves” you are the user since you control the email account. The link in the email takes the user back to the web app with a URL. Something like:

https://www.example.com/reset?email=user@example.com&key=b4c9a289323b21a01c3e940f150eb9b8c542587f1abfd8f0e1cc1ffc5e475514

Normally, it’s fairly common for penetration testers to see this and just assume that a long dynamic hexadecimal string in the URL is encrypted with a sufficiently strong algorithm and a key only known by the server— so good luck attacking that. However, Scott observed that it looked to be the same number of characters long as a common cryptographic hash algorithm: SHA-256. With piqued curiosity, Scott tried hashing the email parameter, “user@example.com.” Then the unbelievable happened: it was a perfect match to the dynamic hexadecimal string in the URL. From there, of course, it was a simple matter of exploiting the helpful error messages on the application’s login pages to enumerate valid email addresses. This is easy when apps are polite, saying things like: “Email address not found. Would you like to sign up?” and “Invalid password. Need to reset your password?” If you don’t get the “Would you like to sign up?” message, you just found a valid user’s email address.

While the application had intended to prove that the user clicked the link in the password reset email, the truth is that the server had no way of knowing if a password reset email had even been sent to that email address. There was no application state—just an email address and its hash. So, an attacker could reset any user’s password simply by hashing their email address, without the user ever getting an email with a password reset link in it.

Our client fixed the issue and we validated the fix, but it left us wondering: with something so subtle, have we ever missed that before? The three of us decided to create a tool to automatically find this vulnerability, should it ever happen again. Since Burp Suite Pro is our favorite tool for testing web applications, especially since it has a good way to extend functionality with its plugin API, we began designing a plugin before the pixels on our report edits were dry. Thus, Burp-Hash was born: a Burp Suite plugin that locates cryptographic hashes in web applications, hashes observed parameters, and saves penetration testers the hassle of manually discovering if any observed parameters match the observed hashes.

Stay tuned to our next blog in this series for details on how Burp-Hash works or check out our Burp-Hash demo at the Black Hat Tools Arsenal on Wednesday, August 5th from 3:30 to 6:00 PM. See you there!

Scott Johnson

Security Consultant

Scott Johnson is a security consultant with Optiv's application security team. His focus is on penetration testing, source code review, and mobile application assessments.