{"id":30703210,"url":"https://github.com/dfinity/ic-burp-extension","last_synced_at":"2025-09-02T16:57:23.734Z","repository":{"id":249652421,"uuid":"701261435","full_name":"dfinity/ic-burp-extension","owner":"dfinity","description":null,"archived":false,"fork":false,"pushed_at":"2024-07-22T11:43:18.000Z","size":3683,"stargazers_count":4,"open_issues_count":0,"forks_count":0,"subscribers_count":3,"default_branch":"main","last_synced_at":"2024-07-22T14:13:55.799Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dfinity.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":".github/CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":".github/CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-10-06T09:15:12.000Z","updated_at":"2024-07-22T14:14:04.272Z","dependencies_parsed_at":"2024-07-22T14:14:02.578Z","dependency_job_id":"7decdfde-b13e-4626-93d8-e9e3e4711fda","html_url":"https://github.com/dfinity/ic-burp-extension","commit_stats":null,"previous_names":["dfinity/ic-burp-extension"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/dfinity/ic-burp-extension","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dfinity%2Fic-burp-extension","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dfinity%2Fic-burp-extension/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dfinity%2Fic-burp-extension/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dfinity%2Fic-burp-extension/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dfinity","download_url":"https://codeload.github.com/dfinity/ic-burp-extension/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dfinity%2Fic-burp-extension/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":273317765,"owners_count":25084037,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-02T02:00:09.530Z","response_time":77,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-09-02T16:57:22.506Z","updated_at":"2025-09-02T16:57:23.709Z","avatar_url":"https://github.com/dfinity.png","language":"Java","readme":"# IC Burp Extension\n\nA Burp plugin that makes pentesting of [ICP](https://internetcomputer.org) Dapps a breeze.\n\n---\n\n### Table of Contents\n- [Features](#features)\n- [System Requirements](#system-requirements)\n- [Quickstart](#quickstart)\n    - [Installation](#installation)\n    - [Viewing decoded requests and responses](#viewing-decoded-requests-and-responses)\n    - [Managing canister interfaces](#managing-canister-interfaces)\n    - [Managing Internet Identities](#managing-internet-identities)\n    - [Sending requests from Intruder or Repeater](#sending-requests-from-intruder-or-repeater)\n\n## Features\n### Decode requests and responses\n![Decode requests and responses](pics/feature-endecode.png \"Decode requests and responses\")\n\n### Send modified requests with your [internet identity](https://identity.ic0.app)\n![Send modified requets](pics/feature-modify-request.png \"Send modified requests\")\n\n### Manage multiple internet identities\n![Manage multiple internet identities](pics/feature-ii-anchors.png \"Manage multiple internet identities\")\n\n### Manage canister interfaces with automatic discovery \u0026 manual import\n![Manage canister interfaces](pics/feature-canister-idls.png \"Manage canister interfaces\")\n\n## System Requirements\nThe following platforms are currently supported:\n- macOS (Apple Silicon)\n- macOS (Intel) :test_tube:\n- Linux (x64) :test_tube:\n- Windows (x64) :test_tube:\n\n## Quickstart\n\n### Installation\n1. Download the JAR from the latest [release](https://github.com/dfinity/ic-burp-extension/releases). There is only a single JAR that works with all operating systems specified under [System Requirements](#system-requirements).\n2. Open Burp, click on the `Extensions` tab and the `Installed` subtab. In the `Burp extensions` section, click the `Add` button and select the downloaded JAR. If installation was successful, the extension should be shown in the extension list and a new `IC` tab should appear:\n![Successful extension installation](pics/quickstart-installation-extension-install-success.png \"Successful extension installation\")\n\n### Viewing decoded requests and responses\n1. Open the `Proxy` tab and the `HTTP history` subtab.\n2. If the history is empty click on the `Open browser` button.\n3. In the browser open [NNS Dapp](https://nns.ic0.app).\n4. In Burp make sure that binary content is not filtered, by clicking on `Filter settings` and enabling `Other binary`:\n![HTTP History - Enable binary content](pics/quickstart-endecode-http-history-filter.png \"HTTP History - Enable binary content\")\n5. Click on an ICP request that contains encoded CBOR content. In the request/response section you should find a `IC Request`/`IC Response` tab if the extension has correctly identified the request/response. Clicking on this tab shows the decoded content:\n![View decoded request/response](pics/quickstart-endecode-req-resp-view.png \"View decoded request/response\")\n\n### Managing canister interfaces\nIn order to be able to encode and decode ICP messages to/from canisters, the extension needs to know the canister interface of the recipient canister. Some canisters expose their canister interface while others don't. The interfaces can be managed by clicking on the `IC` tab and the `IDL Management` subtab:\n\n![IDL Management UI](pics/quickstart-idl-management.png \"IDL Management UI\")\n\nThe UI is split into three parts from left to right:\n\n**Project data management and canister selection.** With the buttons at the top, the canister interface data can be written into or removed from the project file which was selected when Burp was started. All data that is not written into a project file is lost when Burp is closed.\n\nBelow the project data management buttons is a list of all canisters for which interface information is available or where interactions were detected. The buttons at the bottom allow to add additional canisters to that list or automatically try to fetch canister interface information for all/single canister(s).\n\n**IDL selection.** In the middle section information about the interfaces for the canister selected in the left section are shown. Clicking on an interface reveals its content in the right section. If the canister exposes an interface the entry `AUTOMATIC` will be present. The `Load IDL` button allows to load an interface from a file which can be helpful if no interface is exposed or the exposed interface is not accurate. To change the interface which the extension uses during en/decoding, select an entry and press the `Set as active` button.\n\n**IDL content view.** The rightmost section shows the contents of the IDL that was selected in the middle section.\n\n### Managing Internet Identities\nThe extension supports sending ICP messages from the repeater and intruder tool (see section [Sending Requests](#sending-requests-from-intruder-or-repeater)). Non-anonymous messages need to be signed. For this internet identities (II) can be used. In order to sign messages with an II, a passkey must be generated and registered with the II. For this a UI is provided under the `IC` tab and the `Internet Identity` subtab:\n\n![II Management UI](pics/quickstart-ii-management.png \"II Management UI\")\n\nThe `Add` button guides through the process of adding a passkey to an existing II. Once the process is completed the anchor is permanently stored in the extension storage and is available for use in all Burp projects. It is highly recommended to create separate II(s) for testing with Burp, because if the passkey leaks, the II can be compromised.\n\nThe `Remove` button deletes the passkey of the selected II from the extension storage. Note that this does not remove the passkey from the II. This must be done in the [II Dapp](https://identity.ic0.app).\n\nThe `Refresh IIs` button checks for all IIs if the passkey that the extension has stored is still registered. If not it changes the state to `Deactivated`. To enable it again the `Reactivate selected II` button can be used which tries to add a new passkey to the selected II.\n\nThe `Get delegation` button generates a delegated identity for the selected II under the provided hostname. This is useful if the same identity should be used in scripts for fully automated testing. [Rust sample code](https://gist.github.com/tmu0/3c31a7064e9a5d9d326a473025727a49) demonstrates how to create an identity from the generated string.\n\n\n### Sending requests from Intruder or Repeater\nIt is possible to modify captured requests and send them again. The extension will make sure that the metadata fields are properly updated and - if desired - the request is correctly signed. Currently signing is only supported for Internet Identities which need to be [registered first](#managing-internet-identities).\nThe process works as follows:\n1. Capture some requests in the `HTTP history` as described in the [Viewing Requests](#viewing-decoded-requests-and-responses) section.\n\n2. Right-click on a request that should be resent and select `Extensions -\u003e IC Burp Extension -\u003e Send to intruder/repeater`\n![Send to Tool](pics/quickstart-sending-requests-send-to-tool.png \"Send to Tool\")\n\n3. Open the tool to which the request was sent (Repeater in the example)\n![Request in Repeater](pics/quickstart-sending-requests-repeater-prepare.png)\nThe headers in line 17-19 were added by the extension. `X-Ic-Decoded` is just a marker that is used to decide if a message needs to be encoded before sending (no need to change this). `X-Ic-Sign-Identity` and `X-Ic-Frontend-Hostname` control the signing behavior: In the example the principal that is derived from the II anchor `2143428` under hostname `https://nns.ic0.app` is used, i.e., the principal that this II anchor has in the NNS Dapp. The extension has selected these values because the original request was also signed by this principal. They can be changed before the request is sent, however it must be ensured that a passkey was registered for the used II anchor (see [II management](#managing-internet-identities)). If the request should not be signed, i.e., the sender should be the anonymous principal, the value `anonymous` can be used for `X-Ic-Sign-Identity`. Note that all three headers are removed before the message is sent to the IC.\n\n4. (Optional) Adjust the signing headers.\n5. (Optional) Adjust the message. In the example the `rename_sub_account` method of the NNS canister is called, which renames the NNS Dapp wallet of the user to the name `My Wallet` in the original request. We will inject the `\u003ch1\u003e` HTML tag into the wallet name to test if this gets rendered by the NNS Dapp frontend.\n6. Hit the send button and wait for the reply. In the case of a `call` request, the extension will automatically call `read_state` until the reply is available and provide the decoded candid response as the response body in Burp:\n![Request and Response in Repeater](pics/quickstart-sending-requests-repeater-send.png \"Request and Response in Repeater\")","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdfinity%2Fic-burp-extension","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdfinity%2Fic-burp-extension","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdfinity%2Fic-burp-extension/lists"}