Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

Packing/Unpacking custom POST data format for Active Scans

Andy Sep 18, 2019 09:57PM UTC

I'm trying to write an extension to test a mobile API endpoint that uses a homebrew message level encryption format. Basically there is a pre-shared AES key between the mobile app and the server, and the JSON POST data gets AES encrypted before the request is sent. I want to transparently decrypt and re-encrypt this data so the active scanner can inject into the encrypted payload. Is this feasible with a scanner or http listener?


Mike Eaton Sep 20, 2019 08:18AM UTC Support Center agent

Hi Andy, I think this is possible, as IHttpListener.processHttpMessage(int toolFlag, boolean messageIsRequest, IHttpRequestResponse messageInfo) is invoked;

when an HTTP request is about to be issued, and when an HTTP response has been received.

So if you can decrypt & encrypt at those points, you should be able to modify the traffic in both the Scanner & HTTP Listener.

Have a go and let us know how you get on, we might be able to help further down the line.


Post Your public answer

Your name
Your email address
Answer