A Burp plugin that makes pentesting of ICP Dapps a breeze.
Send modified requests with your internet identity
The following platforms are currently supported:
- macOS (Apple Silicon)
- macOS (Intel) 🧪
- Linux (x64) 🧪
- Windows (x64) 🧪
- Download the JAR from the latest release. There is only a single JAR that works with all operating systems specified under System Requirements.
- Open Burp, click on the
Extensionstab and theInstalledsubtab. In theBurp extensionssection, click theAddbutton and select the downloaded JAR. If installation was successful, the extension should be shown in the extension list and a newICtab should appear:
- Open the
Proxytab and theHTTP historysubtab. - If the history is empty click on the
Open browserbutton. - In the browser open NNS Dapp.
- In Burp make sure that binary content is not filtered, by clicking on
Filter settingsand enablingOther binary:
- Click on an ICP request that contains encoded CBOR content. In the request/response section you should find a
IC Request/IC Responsetab if the extension has correctly identified the request/response. Clicking on this tab shows the decoded content:
In order to be able to encode and decode ICP messages to/from canisters, the extension needs to know the canister interface of the recipient canister. Some canisters expose their canister interface while others don't. The interfaces can be managed by clicking on the IC tab and the IDL Management subtab:
The UI is split into three parts from left to right:
Project data management and canister selection. With the buttons at the top, the canister interface data can be written into or removed from the project file which was selected when Burp was started. All data that is not written into a project file is lost when Burp is closed.
Below the project data management buttons is a list of all canisters for which interface information is available or where interactions were detected. The buttons at the bottom allow to add additional canisters to that list or automatically try to fetch canister interface information for all/single canister(s).
IDL selection. In the middle section information about the interfaces for the canister selected in the left section are shown. Clicking on an interface reveals its content in the right section. If the canister exposes an interface the entry AUTOMATIC will be present. The Load IDL button allows to load an interface from a file which can be helpful if no interface is exposed or the exposed interface is not accurate. To change the interface which the extension uses during en/decoding, select an entry and press the Set as active button.
IDL content view. The rightmost section shows the contents of the IDL that was selected in the middle section.
The extension supports sending ICP messages from the repeater and intruder tool (see section Sending Requests). Non-anonymous messages need to be signed. For this internet identities (II) can be used. In order to sign messages with an II, a passkey must be generated and registered with the II. For this a UI is provided under the IC tab and the Internet Identity subtab:
The Add button guides through the process of adding a passkey to an existing II. Once the process is completed the anchor is permanently stored in the extension storage and is available for use in all Burp projects. It is highly recommended to create separate II(s) for testing with Burp, because if the passkey leaks, the II can be compromised.
The Remove button deletes the passkey of the selected II from the extension storage. Note that this does not remove the passkey from the II. This must be done in the II Dapp.
The Refresh IIs button checks for all IIs if the passkey that the extension has stored is still registered. If not it changes the state to Deactivated. To enable it again the Reactivate selected II button can be used which tries to add a new passkey to the selected II.
The Get delegation button generates a delegated identity for the selected II under the provided hostname. This is useful if the same identity should be used in scripts for fully automated testing. Rust sample code demonstrates how to create an identity from the generated string.
It is possible to modify captured requests and send them again. The extension will make sure that the metadata fields are properly updated and - if desired - the request is correctly signed. Currently signing is only supported for Internet Identities which need to be registered first. The process works as follows:
-
Capture some requests in the
HTTP historyas described in the Viewing Requests section. -
Right-click on a request that should be resent and select
Extensions -> IC Burp Extension -> Send to intruder/repeater
-
Open the tool to which the request was sent (Repeater in the example)
The headers in line 17-19 were added by the extension. X-Ic-Decodedis just a marker that is used to decide if a message needs to be encoded before sending (no need to change this).X-Ic-Sign-IdentityandX-Ic-Frontend-Hostnamecontrol the signing behavior: In the example the principal that is derived from the II anchor2143428under hostnamehttps://nns.ic0.appis used, i.e., the principal that this II anchor has in the NNS Dapp. The extension has selected these values because the original request was also signed by this principal. They can be changed before the request is sent, however it must be ensured that a passkey was registered for the used II anchor (see II management). If the request should not be signed, i.e., the sender should be the anonymous principal, the valueanonymouscan be used forX-Ic-Sign-Identity. Note that all three headers are removed before the message is sent to the IC. -
(Optional) Adjust the signing headers.
-
(Optional) Adjust the message. In the example the
rename_sub_accountmethod of the NNS canister is called, which renames the NNS Dapp wallet of the user to the nameMy Walletin the original request. We will inject the<h1>HTML tag into the wallet name to test if this gets rendered by the NNS Dapp frontend. -
Hit the send button and wait for the reply. In the case of a
callrequest, the extension will automatically callread_stateuntil the reply is available and provide the decoded candid response as the response body in Burp:
