A PoC using Burp Bambdas to show its simplicity for Quick Wins

Zoom image will be displayed

In one of our latest engagements, our team found a very nice critical vulnerability involving a multiple step process and a couple of HTTP requests. After the engagement we were discussing why this particular vulnerability was present, but more importantly, what other similar things we could be missing. In this case, a key part of the problem was the use of predictable hashes to perform critical actions, and once the team knew what to look for, the vulnerability was easy to spot.

Based on this, and as a little excuse to start learning about Burp’s Bamdas I decided to write a small Bamda with the goal of search for specific hash values in requests and responses that could point us to perform further inspection.

Disclaimer: This could be solved using regular HTTP filters and a bit of manual work, but the idea was to start using Bambdas.

Bambdas are small pieces of Java code that can be used to perform different tasks such as:

• Filtering requests/responses in Burp’s HTTP History.
• Adding columns in different sections (HTTP History, Logger, etc).
• Automatically calculate and replace values in request. A very cool example of this use case can be found in this blogpost.

In my case, I needed to calculate a couple of hashes for different values and filter requests containing any of them. Additionally, I wanted to have the flexibility to change what values were used as sources for the hash calculation and the ability to test different hashing algorithms. As a starting point I reviewed PortSwigger’s Bamdas repository along with Burp’s Montoya API documentation.

As explained in the Bambda’s editor main window, we can leverage three different items:

• The ProxyHttpRequestResponse object via the RequestResponse parameter. It represents the HTTP requests and responses intercepted by Burp. It will be the most used object as it provides access to the most important data such as Request and Response bodies, HTTP headers, etc.
• The Utilities interface via utilities(), provides useful helper functions, such as conversion functions, hashing functions, and others.
• The Logging interface, via logging(), provides logging and troubleshooting capabilities. Personally, I used “logging.logToOutput(message)” to debug some issues I had while testing.

With this information I was able to write the following simple Bambda:

This simple Bambda filters requests/responses that include the hash of the email address, username or password. Bear in mind that in this case I left out requests that did not have a response (lines 1–3). You can change the values used (email, username) according to your needs, and the hashing algorithm used (SHA-256). What I really liked about this feature is how easy it is to change things for testing purposes, I could easily modify the hashing algorithm used, or just look for the email address hash and so on. The Montoya API has good documentation and is simple to use, in the future I certainly would develop new Bambdas to further simplify our penetration testing workflow.

Nahuel D. Sanchez [LinkedIn] [X]
Security Consultant Manager @ Kulkan

Kulkan Security (www.kulkan.com) is a boutique offensive security firm specialized in Penetration Testing. If you’re looking for a Pentest partner, we’re here. Reach out to us via our website, at www.kulkan.com

More on Kulkan at:

• https://blog.kulkan.com
• https://x.com/kulkansecurity
• https://www.linkedin.com/company/kulkan-security

Subscribe to our newsletter at:

• https://kulkan.beehiiv.com/subscribe