Packing/Unpacking custom POST data format for Active Scans
I'm trying to write an extension to test a mobile API endpoint that uses a homebrew message level encryption format. Basically there is a pre-shared AES key between the mobile app and the server, and the JSON POST data gets AES encrypted before the request is sent. I want to transparently decrypt and re-encrypt this data so the active scanner can inject into the encrypted payload. Is this feasible with a scanner or http listener?
Hi Andy, I think this is possible, as
IHttpListener.processHttpMessage(int toolFlag, boolean messageIsRequest, IHttpRequestResponse messageInfo) is invoked;
when an HTTP request is about to be issued, and when an HTTP response has been received.
So if you can decrypt & encrypt at those points, you should be able to modify the traffic in both the Scanner & HTTP Listener.
Have a go and let us know how you get on, we might be able to help further down the line.