Background

During a Pentest, we came across a scenario where the application was sending a token in response which will be used in the next request so that it can prevent request replay. On top of that, we can’t use macros to send requests for tokens due to limitations.

To overcome this challenge, we developed a SRePlay, Burp Plugin to bypass Replay Protection which will extract the value of the token from the last response and automatically update the future request with the new token on the fly resulting in Request Replay Protection bypass.

In this post, I’ll be discussing how to decrypt the mobile app AES Encrypted traffic on the fly using AES Killer.

Pre-requisites

• Familiarity with Frida and hooking
• Familiarity with Burpsuite and Genymotion

Requirements and Setup

• 11x256 demo app and server

  • Android App
  • NodeJS Web Server

• Frida

  • Frida on Local machine, can be installed using pip install frida
  • Frida Server on Android device, download latest version from GitHub Releases

• Burpsuite

  Read More…
  
  

Demo App

For this usage guide, weI’ll be using the AES Killer - Demo App where I have simulated all possible scenarios with different variation in request and response to cover maximum possible combination which could occur. I have simulated the following test cases.

• Complete Request & Response
• Specific Request Parameters and complete response
• Specific JSON Request parameters & complete response
• Specific Request and Response Parameters
• Override Request & Response

The application is sending back post data in response