Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/srikanthramu/webauthn-cbor-burp

Burp Extension to Decode WebAuthn CBOR
https://github.com/srikanthramu/webauthn-cbor-burp

Last synced: 2 months ago
JSON representation

Burp Extension to Decode WebAuthn CBOR

Host: GitHub
URL: https://github.com/srikanthramu/webauthn-cbor-burp
Owner: srikanthramu
License: apache-2.0
Created: 2022-06-25T07:06:41.000Z (over 2 years ago)
Default Branch: main
Last Pushed: 2022-07-05T06:52:48.000Z (over 2 years ago)
Last Synced: 2024-08-04T00:04:26.316Z (6 months ago)
Language: Java
Size: 585 KB
Stars: 1
Watchers: 1
Forks: 2
Open Issues: 5
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

awesome-burp-extensions - WebAuthn CBOR Decoder - WebAuthn CBOR is a Burp Extension to decode WebAuthn CBOR format. WebAuthn is a W3C Standard to support strong authentication of users. (Custom Features)

README

# WebAuthn CBOR Burp
WebAuthn CBOR is a Burp Extension to decode WebAuthn CBOR format. [WebAuthn](https://www.w3.org/TR/webauthn-2/) is a W3C Standard to support strong authentication of users. WebAuthn depends on several other specifications such as Base64url encoding, Concise Binary Object Representation (CBOR), CBOR Object Signing and Encryption (COSE) to name a few. For more details, refer [3. Dependencies](https://www.w3.org/TR/webauthn-2/#sctn-dependencies). This Burp extension enables to view the decoded [CBOR format](https://www.rfc-editor.org/info/rfc8949).

# Installation
1. Clone or download this repo.
2. Compile the code: `gradle bigJar`. The compiled jar location is `build/libs/webauthn-cbor-burp-all-1.0.jar`
3. [Follow the instructions](https://portswigger.net/burp/documentation/desktop/tools/extender#installing-an-extension-from-a-file) to load the jar.

## Environment Requirements
This extension was developed and tested with the following setup:
1. JDK 11
2. Gradle 7.4.2

# Usage
* Intercept the WebAuthn request/response using Burp proxy
* If the request has a `attestationObject` parameter, a new Tab `WebAuthn CBOR Decode` will be added and the decoded CBOR format will be dispalyed. See **Screenshot** section below.

## Testing
* https://webauthn.io/ has a demo application to illustrate WebAuthn request/response.
* Chrome has WebAuthn authenticator emulator - https://developer.chrome.com/docs/devtools/webauthn/

## Screenshot
### attestationObject in CBOR format
![](images/webauthn-cbor-data.png)

### Decoded View
![](images/webauthn-cbor-decode.png)

## Acknowledgement
This extension depends on various other libraries and their transient dependencies. See the *build.gradle* for the list of direct dependencies. Thanks to all the contributors. This Burp Extension is based on https://github.com/PortSwigger/example-custom-editor-tab/tree/master/java.

## References
* https://fidoalliance.org/fido2-2/fido2-web-authentication-webauthn/
* https://webauthn.guide/
* https://webauthn.io/
* https://cbor.io/
* https://portswigger.net/burp/documentation/desktop/tools/extender