IContextMenu interna plugin
For this example, we will use the same functions used in the IMessageEditorTab example. To resume, we have some encrypted data in requests and responses and we found in the binary the functions that do the encryption/decryption. We want to add to Brida two context menu options that encrypt/decrypt the portion of the request/response highlighted by the user and replace the value with the encrypted/decrypted one, as follow:
- Decrypt: the user highlight the encrypted portion of the request/response, click with the right-button of the mouse, select Decrypt and the selected encrypted value is replaced with the decrypted one obtained executing on the data a Frida decryption exported function (if the request/response tab is non-editable a pop-up shows up with the decryption result)
- Encrypt: the user highlight a portion of the request/response, click with the right-button of the mouse, select Encrypt and the selected value is replaced with the encrypted version obtained executing on the data a Frida encryption exported function (if the request/response tab is non-editable a pop-up shows up with the encryption result)
As for the IMessageEditorTab example, we write two simple Frida exported functions that will execute encryption/decryption for us. encryptrequest and decryptresponse (these functions are named this way because they call two iOS function using Frida name respectively + encryptRequest: and + decryptResponse: but can be used to encrypt/decrypt arbitrary content):
Let's start with the Decrypt plugin:
- Plugin name: DecryptContextMenu
- Plugin type: IContextMenu
- Name of the Frida exported function: decryptresponse (the name of the JS function we defined in the previous steps. As we said before, we named the exported function decryptresponse because it is the name of the called mobile function, but it can be used to decrypt both requests and responses. DO NOT USE UPPERCASE CHARACTERS IN THE EXPORTED FUNCTION NAMES)
- Execute on: Context menu options named - Decrypt (the name that will appear in the right-button context menu of Burp Suite)
- Parameters: highlighted value in request/response (the portion of the request/response highlighted by clicking and dragging with the left-button of the mouse will be supplied as parameter to the Frida exported function. Brida offers many other different options to pass argument like full request/response, regex with groups, body, headers, dynamic feed with popup, ...)
- Encode function parameters: none (we can encode parameters before sending them to the mobile application but in this situation it is not necessary. This is very important with binary input: in these situations, it is better to encode parameters with ASCII-HEX or Base64 and decoding them in the Frida exported functions. All the encode/decode options of the Custom Plugins when clicked open a popup in which it is possible to choose one or more encoding/compression algorithm, like Base64, ASCII-HEX, URL, GZIP, ...)
- Decode function output: none (we can decode output returned by Frida. As for the parameters, if the output is in binary form it is better to encode it in the Frida exported function and decode it in the plugin using this option. In our plugin, the iOS function we are using for our plugin, + decryptResponse:, return the result of our search operation in an ASCII string and consequently we don't need to decode it)
- Plugin output: Replace highlighted value in request/response (the output of the Frida exported function will take the place of the highlighted value supplied as parameter)
- Plugin output encoding: none (this menu allows us to encode Frida output before inserting it in the chosen place. However, in our current plugin this is not necessary and we set it to none)
Now we can click on "Add plugin" to create our plugin and then to "ENABLE" to enable it:
To try our new plugin, we can simply send one encrypted request to the Repeater, highlight the encrypted portion, click with the right-button on the mouse and select Decrypt:
And here is the result:
We can use the same plugin also to decrypt the responses, also on non-editable tools; the plugin will show a popup if it cannot replace the highlighted data:
We can then create a similar plugin to handle the encryption (we can add URL encoding to Frida Base64 output in order to be able to send directly our modified request without having to manually do a URL encode step):
And with our new plugin we can also encrypt back our weaponized input before sending it to the backend:
