Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

ECB Block Shuffler Payload type behaviour

ellasatchmi | Last updated: Jan 02, 2017 02:23AM UTC

Not sure if this is bug or im doing it wrong but i tried using the ECB Payload of Burpsuite with base request of: GET /payment/callback?data=5765679f0870f4309b1a3c83588024d7c146a4104cf9d2c80cf1fc4796100e1128df361f896eb3c3706cda0474915040 HTTP/1.1 As you can see the "data" is a sequence of 96 characters. And what i expected when i run intruder w/ "ECB Block Shuffler" would be something like this: 5765679f0870f430 9b1a3c83588024d7 c146a4104cf9d2c8 0cf1fc4796100e11 28df361f896eb3c3 706cda0474915040 #0 5765679f0870f4309b1a3c83588024d7c146a4104cf9d2c80cf1fc4796100e1128df361f896eb3c3706cda0474915040 (96 chars) #1 9b1a3c83588024d75765679f0870f430c146a4104cf9d2c80cf1fc4796100e1128df361f896eb3c3706cda0474915040 (still 96 chars) #2 9b1a3c83588024d7c146a4104cf9d2c85765679f0870f4300cf1fc4796100e1128df361f896eb3c3706cda0474915040 (still 96 chars) and so on.. Everything would be 96 chars? But what i actually got was.. #0 5765679f0870f4309b1a3c83588024d7c146a4104cf9d2c80cf1fc4796100e1128df361f896eb3c3706cda0474915040 (96 chars) #1 0cf1fc4796100e115765679f0870f4309b1a3c83588024d7c146a4104cf9d2c80cf1fc4796100e1128df361f896eb3c3706cda0474915040 (112 chars) #2 28df361f896eb3c35765679f0870f4309b1a3c83588024d7c146a4104cf9d2c80cf1fc4796100e1128df361f896eb3c3706cda0474915040 (112 chars) How come the chars changed from 96 to 112? As I understand it should still be the same number of blocks? Thanks.

PortSwigger Agent | Last updated: Jan 03, 2017 10:27AM UTC

In addition to switching blocks within the structure, Burp also inserts blocks at different positions within the structure. Both techniques can be effective in exploiting vulnerabilities in the processing of ECB-encrypted data.

Burp User | Last updated: Jan 03, 2017 12:34PM UTC

Thanks for the quick reply! I now get why it would insert blocks in the different position. However, I observed that all payloads sent by intruder were only those with inserted blocks having length of 112 chars vs the original of 96 chars. As I understand, i should have gotten both payloads with 96 chars due to switching method and some 112 chars for payloads with inserted blocks in different positions. Thanks.

PortSwigger Agent | Last updated: Jan 03, 2017 01:34PM UTC

Actually, I think I was wrong and in fact the only action that Intruder performs is to insert blocks, not to switch existing blocks. In most cases, the ciphertext will decrypt to a data structure of some kind, and the best way to manipulate that structure with the minimum risk of breaking its format is to insert additional blocks, rather than shuffle existing ones.

Burp User | Last updated: Jan 04, 2017 09:57AM UTC

Thanks again. That explains it. Anyways, it seems that you can still achieve the switching scenario by manually setting the data minus the last block on "Specific string:" and then enter the last block under the "Additional encrypted strings - optional" on Payload Options of the ECB block shuffler.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.