Skip to main content

Black Hat Tools Arsenal: Burp-Hash Plugin – Part 1

August 04, 2015

One day a few months back, teammates Matt South and Tim MalcomVetter reviewed a report from an application security assessment performed by another teammate, Scott Johnson. These reviews occur as part of our normal quality assurance process, but it’s always interesting, and even fun, when a teammate comes across a rare type of vulnerability. In this case, Scott tested an internet-facing web application belonging to one of our company’s clients, and he discovered a flaw in the way the web application handled password resets. On the surface, it appeared to be similar to many other web apps: if you forgot your password, you could simply tell the web app your email address and have it mail you a link to reset your password. This, at least in theory, “proves” you are the user since you control the email account. The link in the email takes the user back to the web app with a URL. Something like:

Normally, it’s fairly common for penetration testers to see this and just assume that a long dynamic hexadecimal string in the URL is encrypted with a sufficiently strong algorithm and a key only known by the server— so good luck attacking that. However, Scott observed that it looked to be the same number of characters long as a common cryptographic hash algorithm: SHA-256. With piqued curiosity, Scott tried hashing the email parameter, “” Then the unbelievable happened: it was a perfect match to the dynamic hexadecimal string in the URL. From there, of course, it was a simple matter of exploiting the helpful error messages on the application’s login pages to enumerate valid email addresses. This is easy when apps are polite, saying things like: “Email address not found. Would you like to sign up?” and “Invalid password. Need to reset your password?” If you don’t get the “Would you like to sign up?” message, you just found a valid user’s email address.

While the application had intended to prove that the user clicked the link in the password reset email, the truth is that the server had no way of knowing if a password reset email had even been sent to that email address. There was no application state—just an email address and its hash. So, an attacker could reset any user’s password simply by hashing their email address, without the user ever getting an email with a password reset link in it.

Our client fixed the issue and we validated the fix, but it left us wondering: with something so subtle, have we ever missed that before? The three of us decided to create a tool to automatically find this vulnerability, should it ever happen again. Since Burp Suite Pro is our favorite tool for testing web applications, especially since it has a good way to extend functionality with its plugin API, we began designing a plugin before the pixels on our report edits were dry. Thus, Burp-Hash was born: a Burp Suite plugin that locates cryptographic hashes in web applications, hashes observed parameters, and saves penetration testers the hassle of manually discovering if any observed parameters match the observed hashes.

Stay tuned to our next blog in this series for details on how Burp-Hash works or check out our Burp-Hash demo at the Black Hat Tools Arsenal on Wednesday, August 5th from 3:30 to 6:00 PM. See you there!

    Scott Johnson

By: Scott Johnson

Security Consultant

See More

Related Blogs

December 17, 2015

Bypassing CSRF Tokens via XSS

Many web development platforms provide libraries that handle the creation and validation of tokens with each HTTP request to prevent Cross Site Reques...

See Details

August 31, 2015

Black Hat Tools Arsenal: Burp-Hash Plugin, Part 2 - How it Works

This is a follow-up post about our Burp-Hash plugin for the Burp Suite that we presented at the Black Hat USA Tools Arsenal. You can read the backstor...

See Details

August 03, 2012

Three Areas of Change at Black Hat

Black Hat is changing. It is pretty evident when you walk the vendor floor and see some of the event and session attendees. A lot of folks are talking...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cybersecurity Events in your area.