Many applications will hash parameters such as ID numbers and email addresses for use in secure tokens, like session cookies. A java extension for Burp Suite, burp-hash will passively scan requests and responses looking for hashed values. Once a hashed value is found, it is compared to a table of parameters already observed in the application to find a match. The extension keeps a lookout for parameters such as usernames, email addresses, and ID numbers. It also keeps a lookout for hashes (SHA, MD5, etc). It hashes new data and compares to observed hashes. The user receives a notification if any hashes match. This automates the process of trying to guess common parameters used in the generation of hashes observed in an application.
We are pleased to announce burp-hash has been accepted for Black Hat USA Arsenal 2015.