An overview of Hackvertor
Hackvertor is a Burp Suite designed to modify requests dynamically using tags. This functionality eliminates the need for scripting for each new feature, thereby saving time and boosting productivity. One of the perks of Hackvertor is the ability to create **custom tags**, which allows for the execution of advanced actions or repetitive tasks without having to rewrite scripts.
In addition to all predefined tags, you can also create your own customised tags. So if you often need to perform a series of actions associated with different tags, or perform more advanced actions, you can write a script in JavaScript, Python, Java or Groovy and then simply call the new custom tag.
Key features of Hackvertor
Hackvertor comes packed with a slew of features that make it a valuable addition to Burp Suite. Some of the noteworthy ones include:
- Tag-Based Modifications: This feature simplifies changes made within the context of other Burp Suite features.
- On-the-Fly Fuzzing: Hackvertor supports fuzzing with modifications on-the-go, which is particularly useful with Burp Suite's Intruder tool.
- Encoding and Decoding Support: Hackvertor provides support for encoding and decoding, encryption and decryption of values.
- IP Spoofing: With Hackvertor, you can generate random IP addresses to bypass protection mechanisms and filters.
- Signature Generation: Hackvertor allows you to generate signatures effortlessly.
- Fake Data Input: You can fill in forms with fake datasets, which can be useful in various testing scenarios.
Getting started with Hackvertor
Before delving into Hackvertor's advanced functionalities, it's essential to familiarize yourself with its basic usage. The extension's direct tab offers a comprehensive tour of the various tags and their uses.
Case Study: Encoding and Encryption
Consider a scenario where you need to send encoded or encrypted data for fuzzing. For instance, you might be working with a website that uses AES encryption on the front-end. If the AES key is leaked in the front-end source code, you could perform a brute-force attack to get a valid encryption value.
Let's imagine a website where a quick examination of the code allows us to understand that AES encryption is performed on the front-end before being sent for verification. We can then see that the AES key enabling this encryption is leaked in the front-end source code. This allows us to preform a brute-force attack to obtain a valid encryption value.
By inserting a payload as shown below in Burp's Intruder tab and iterate over a wordlist, Hackvertor will AES encrypt the current value provided by the wordlist. Once the value is encrypted, Intruder will send the request containing the new encrypted value to the target.
<@aes_encrypt('yesWeHack_Secret','AES','initVectorYWH')>SuperSecret_BruteForce<@/aes_encrypt>
Various tags are also available for encoding and decoding, such as for base64 and burp_urlencode :
<@base64>20 septembre 2023<@/base64>
GET <@burp_urlencode>/invoices/20 Septembre 2023<@/burp_urlencode>
<@d_base64>MjAgc2VwdGVtYnJlIDIwMjM=<@/d_base64>
<@d_burp_url>GET /invoices/20+Septembre+2023<@/d_burp_url>
There are also various techniques available if you need to encode a payload to bypass a filter – for example:
Bypassing Filters with Math Category
The Math category in Hackvertor offers more than just arithmetic calculations. It has the ability to randomly generate sequences of letters or numbers or add padding to your values. This capability can be utilized to bypass certain Web Application Firewalls (WAF).
To bypass certain Web Application Firewalls (WAF), you can trick the WAF into not checking the rest of the request. Here's how you can add a fake parameter with a large number of random letters to the content of your POST request:
fake=<@random_alpha_lower(10000)/>&legit_param=payload
Fake Dataset
In the case of an attempted exploit via a form, for example, it is sometimes necessary to enter different data for each request. For this purpose, there's a Fake category containing tags for fake addresses, fake companies, fake phone numbers and fake words by categories, with a choice of language.
<@fake_address("$firstName, $lastName, $fullAddress","fr_FR")/>
<@fake_phoneNumber("$cellPhone","fr_FR")/>
<@fake_company("$name, $url, $catchPhrase, $logo","en-GB")/>
Generating Tokens
There might be situations where you need to generate tokens based on other data, such as the date. For example, we can transform our data into a JWT after receiving the current date:
<@jwt('HS256','Y3sW3H5ck_hv')>{"date":"<@date("yyyy-MM-dd HH:mm:ss","GMT")/>","token":"username:password"}<@/jwt>
Useful Tips
It is possible to reuse data placed elsewhere in the query. To do this, you need to define the data with a <@set_ywh_var(false)><@/set_ywh_var(false)> tag, then simply call it with a get, followed by the name given to the variable: <@get_ywh_var/>.
Other variables can be set to reuse information, such as values within the body, headers or information related to the HTTP protocol.
As we've already covered, it is possible to obtain the date or a timestamp of the current time. The choice of format allows you to easily add adapted values in many different situations.
These are just some of the useful features provided by Hackvertor. For instance, there are also more advanced actions that allow you to insert custom Python, JavaScript, Java or Groovy code directly, without having to create your own tag:
<@python('output = "".join(chr((ord(char) - 65 + 13) % 26 + 65) if i % 2 == 0 and char.isalpha() else char for i, char in enumerate(input))','<YOUR_HV_TOKEN>')>data_to_modify<@/python>
This Python code takes each character from an input and encodes it into a Rot13 format. This example demonstrates the potential of harnessing Hackvertor to write custom code directly in Burp.
Security
To prevent interpretation of a payload containing a tag that wasn’t created by you (e.g, one that is already in a request passing through your proxy), you can simply enable or disable Hackvertor via the top bar. For Custom Tags, they are associated with a random token that must be known before they can be executed.
