Demo App

For this usage guide, weI’ll be using the AES Killer - Demo App where I have simulated all possible scenarios with different variation in request and response to cover maximum possible combination which could occur. I have simulated the following test cases.

  • Complete Request & Response
  • Specific Request Parameters and complete response
  • Specific JSON Request parameters & complete response
  • Specific Request and Response Parameters
  • Override Request & Response

The application is sending back post data in response

Demo App Setup

Download the AES Killer - Demo App and do the following

$ cd AES_Killer-NodeJS-DemoApp

// Install packages
$ npm install express
$ npm install body-parser
$ npm install crypto-js
$ npm install cors


// Start the server
$ node server.js
Express server started on port 3000 ......

The running app will look like this

I’ll be using the following code snippet for the encryption and decryption in this demo where

  • Secret key is aaaaaaaaaaaaaaaa and its base64 is YWFhYWFhYWFhYWFhYWFhYQ==
  • IV Parameter is bbbbbbbbbbbbbbbb and its base64 is YmJiYmJiYmJiYmJiYmJiYg==
  • As my Express server is running on localhost port 3000 so my host will be http://127.0.0.1:3000/

AES Killer Setup

Download the latest jar file from GitHub Release and add it to Burp Extender.

Now let’s move towards the demo.


Example 01 - Complete Request and Response Body

If we issue a request upon pressing a Login button, we can observe that the application is sending complete requests and response body encrypted.

The configuration of AES Killer for this example is quite simple, all we need to do is following

  • Input Secret Key, IV Parameter and Host URL
  • Select Complete Request Body from Request Options
  • Select Complete Response Body from Response Options
  • Press Start AES Killer button as shown below and you will get a prompt with AES Killer started !!!

Now again send the request from our demo web app and go back to burp proxy where you can see the decrypted request under Edited request and decrypted response under Original response options. Upon fetching the request on proxy

  • IProxyListener.processProxyMessage will decrypt the request’s body and update the request with a decrypted body
  • Before sending a request to the server, IHttpListener.processHttpMessage will encrypt the whole request’s body and send the updated encrypted request to the server
  • On getting encrypted response IHttpListener.processHttpMessage will decrypt the response’s body
  • IProxyListener.processProxyMessage will encrypt the decrypted request’s body and update the request

So by using the above flow, we can see and tamper clear text request in Burp Proxy, Repeater, Scanner, Intruder while the AES Killer will handle the encryption on the backend before sending it to Server and Application (Web / Mobile).

We can send this decrypted request to Repeater for further testing

Now we can also do brute forcing using intruder




Example 02 - Specific Request Parameters and Complete Response

In this example, the application is sending encrypted request parameters to the server and getting an encrypted response

To get plain text traffic in such cases, please use the following configuration for AES Killer

  • Input Secret Key, IV Parameters and Host URL
  • Select Complete Response Body from Response Options
  • Select Specific Request Parameters from Request Options and provide parameter names separated with space
  • Press Start AES Killer

Now trying sending Login request again and you’ll see the decrypted request and response in burp

We can use this decrypted request in Repeater, Scanner and Intruder, same as the previous case.


Example 03 - Specific JSON Request Parameters and Complete Response

In this example, we can see that the application is sending encrypted request parameters same as the previous case but now the content type is JSON and Burp API handles JSON parameters differently from normal Form or Multi-part content type. In addition to that, this time the application is sending a response in Plain Text without any Encryption.

The configuration of AES Killer for this example is exactly the same as Example 02 but with a slight difference in Response Options

  • Input Secret Key, IV Parameters and Host URL
  • Select Ignore Response from Response Options as there is no encryption implemented on response in this example
  • Select Specific Request Parameters from Request Options and provide parameter names separated with space
  • Press Start AES Killer

Let’s move back to the application and send the request again

This time response is intact while AES Killer decrypted the JSON parameters in the request.


Example 04 - Specific Request and Response Parameters

The application is sending encrypted parameters in JSON and also getting encrypted parameters in the JSON body.

The AES Killer configuration for such cases is as follow

  • Input Secret Key, IV Parameters and Host URL
  • Select Specific Response Parameters from Response Options as provide response parameter names separated with space
  • Select Specific Request Parameters from Request Options and provide request parameter names separated with space
  • Press Start AES Killer

If we send request again, we’ll be seeing the decrypted request and response parameters

The AES Killer will automatically encrypt the request before sending it to the application or server, so we can pentest it however we want


Example 05 - Override Request and Response (Variant-01)

In this example, we have a special case where the application is encrypting the whole request and then sending the encrypted string in the data parameter. Also, the application is sending encrypted string is JSON parameter in the response body.

The AES Killer configuration for this type of scenarios is as below

  • Input Secret Key, IV Parameters and Host URL
  • Select Specific Response Parameters from Response Options as provide response parameter name separated with space and also select Override Complete Response Body - JSON
  • Select Specific Request Parameters from Request Options and provide request parameter name separated with space and also select Override Complete Request Body - Form
  • Press Start AES Killer

Send request again from the Demo App again and observe the Request and Response


Example 06 - Override Request and Response (Variant-02)

In this example, the application behavior is inverse of Example 05 as shown below

The AES Killer configuration for this type of scenarios is as below

  • Input Secret Key, IV Parameters and Host URL
  • Select Specific Response Parameters from Response Options as provide response parameter name separated with space and also select Override Complete Response Body - Form
  • Select Specific Request Parameters from Request Options and provide request parameter name separated with space and also select Override Complete Request Body - JSON
  • Press Start AES Killer

The Decrypted Request and Response is