Version < 2.02

Work with encrypt API

When I do penetration testing for mobile API, i see a API with encrypt data in request and encrypt data in response like:

With mobile app, I can hook to get AES key. key = "keyaes" and raw data is: {"data":"1"}

To speed up my work, I create JScription extension to auto encrypt data before request send and auto decrypt response when it return.

I import CryptoJS to Setting Library and write script: https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.9/crypto-js.min.js pre_script:

key = "keyaes";
body = jsrequest.bodyToString();
json_body = JSON.parse(body);

encrypt_data = CryptoJS.AES.encrypt(json_body.data, key).toString();
json_body.data = encrypt_data;
new_raw_body = JSON.stringify(json_body);
jsresult.request= jsrequest.withBody(new_raw_body);
jsresult;

post_script:

key = "keyaes";
body = jsresponse.bodyToString();
json_body = JSON.parse(body);
encrypt_data = json_body.data;
cleartext_data = CryptoJS.AES.decrypt(encrypt_data, key).toString(CryptoJS.enc.Utf8);

json_body.data = cleartext_data;
new_raw_body = JSON.stringify(json_body);
jsresult.response= jsresponse.withBody(new_raw_body);
jsresult;

It work! And I can change value to pentest

With JScriptor, i can use Intruder or Scanner to test it