Passively scan for hashed values with Burp Suite

Many applications will hash parameters such as ID numbers and email addresses for use in secure tokens, like session cookies. A java extension for Burp Suite, burp-hash will passively scan requests and responses looking for hashed values. Once a hashed value is found, it is compared to a table of parameters already observed in the application to find a match. The extension keeps a lookout for parameters such as usernames, email addresses, and ID numbers. It also keeps a lookout for hashes (SHA, MD5, etc). It hashes new data and compares to observed hashes. The user receives a notification if any hashes match. This automates the process of trying to guess common parameters used in the generation of hashes observed in an application.

Learn more »

See us at Black Hat

We are pleased to announce burp-hash has been accepted for Black Hat USA Arsenal 2015.

View details »