Last active
October 5, 2023 18:25
-
-
Save blazejrypak/910380dc107254afd43d5d7751a69e82 to your computer and use it in GitHub Desktop.
Burp HMAC Authentication for HTTP Requests
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Description: This script adds HMAC authentication headers to an HTTP request. | |
# Title: HMAC Authentication for HTTP Requests | |
import sys | |
import time | |
import uuid | |
import hashlib | |
import hmac | |
import base64 | |
import re | |
import json | |
import unicodedata | |
from datetime import datetime | |
import urllib | |
# Check if the message is a request | |
if messageIsRequest: | |
print('########################################################################') | |
# Replace 'apiID' and 'apiKey' with your actual API credentials | |
apiID = 'your_api_id_here' | |
apiKey = 'your_api_key_here' | |
# Analyze the HTTP request | |
request = helpers.analyzeRequest(messageInfo) | |
headers = request.getHeaders() | |
# URL encoding and conversion to uppercase | |
url = urllib.quote(url_base, safe='').upper() | |
method = request.getMethod() | |
# Get the current timestamp and generate a random salt | |
request_timestamp = str(int(time.time())) | |
salt = str(uuid.uuid4()) | |
# Extract the message body from the request | |
msg = messageInfo.getRequest()[request.getBodyOffset():].tostring() | |
# Normalize the message by replacing newline characters | |
normalized_msg = msg.replace('\r\n', '\n') | |
# Calculate the MD5 hash of the normalized message and encode it in base64 | |
request_content_hash_base64 = base64.b64encode( | |
hashlib.md5(normalized_msg.encode()).digest()).decode() | |
# If the HTTP method is GET, set the content hash to an empty string | |
if method == 'GET': | |
request_content_hash_base64 = '' | |
# Construct the authentication message | |
message = "{0}:{1}:{2}:{3}:{4}:{5}".format( | |
apiID, method, url, request_timestamp, salt, request_content_hash_base64) | |
print(message) | |
# Decode the API key from base64 | |
secret_key_bytes = base64.b64decode(apiKey) | |
# Calculate the HMAC signature using the secret key and message | |
digest = hmac.new(secret_key_bytes, msg=message.encode(), | |
digestmod=hashlib.sha256).digest() | |
# Encode the HMAC signature in base64 | |
signature = base64.b64encode(digest).decode() | |
# Construct the new authentication header value | |
newHeaderValue = "{0}:{1}:{2}:{3}".format( | |
apiID, signature, salt, request_timestamp) | |
print(newHeaderValue) | |
# Add the HMAC authentication header to the request | |
headers.add('Authorization: hmacauth {0}'.format(newHeaderValue)) | |
# Build the new HTTP request with the authentication header | |
new_request = helpers.buildHttpMessage(headers, msg) | |
messageInfo.setRequest(new_request) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment