CipherKit is a modular cryptographic toolkit for Burp Suite (Jython) that allows you to dynamically sign, hash, encrypt, and decrypt request payloads using built-in or custom Python algorithms.
- Inline Request Editor — Sign, hash, and encrypt/decrypt directly inside Burp's Repeater, Proxy, or Intruder tabs using the custom CipherKit panel.
- AppSetting System — Save configurations (secret, sign order, crypto parameters, and custom data overrides) per-API or per-endpoint using URL pattern matching (e.g.,
/api/v3/*). - Auto-Rehash Session Handler — Automatically recalculate signatures and hash fields in background request pipelines (Repeater, Intruder, scanner, etc.) using Burp Session Handling Rules.
- Key Finder — Brute-force field concatenation orders against a known signature to easily reverse-engineer API sign order schemes.
- Custom Python Snippets — Write your own hash/signature and crypto functions directly in Burp, validated and compiled on the fly.
- Prerequisite: Download the Jython standalone JAR.
- Configure Jython in Burp: Extender › Options › Python Environment and select the Jython JAR.
- Add the extension: Extender › Extensions › Add, set Type to Python, and select
HashGenBurp.py.
Save sign-orders, custom data, and crypto keys mapped to URL patterns.
- Under the AppSetting tab, name your app and configure its shared parameters.
- Define endpoint-level sign orders and custom data (e.g.
tokenoverrides for specific endpoints like/api/v3/pay). - These settings auto-load in the inline editor when you browse requests matching the URL pattern.
- Go to Project Options › Sessions › Session Handling Rules › Add.
- Under Rule Actions, add Invoke a Burp extension and select CipherKit - Auto-Rehash.
- Set the Scope to Intruder/Repeater and target URLs. Every sent request will automatically re-calculate and inject signatures.
Save python snippets under Hash Editor. The script must define generate(payload, passcode, custom_data=None, key_order=None).
def generate(payload, passcode, custom_data=None, key_order=None):
import hmac, hashlib
# Order fields according to the Sign Order settings
keys = key_order or [k for k in payload.keys() if k != 'hash']
msg = "".join(str(payload.get(k, "")) for k in keys)
# Calculate HMAC-SHA256
sig = hmac.new(passcode.encode(), msg.encode(), hashlib.sha256).hexdigest()
return sig, "Debug Log Info..."Save python snippets under Crypto Editor. Define encrypt and decrypt functions in the same snippet.
def encrypt(plaintext, key, iv):
# key & iv are UTF-8 strings
secret_key = SecretKeySpec(key.encode(), 'AES')
cipher = Cipher.getInstance('AES/CBC/PKCS5Padding')
cipher.init(Cipher.ENCRYPT_MODE, secret_key, IvParameterSpec(iv.encode()))
encrypted = cipher.doFinal(plaintext.encode())
return base64.b64encode(bytes(bytearray(encrypted)))
def decrypt(ciphertext_b64, key, iv):
secret_key = SecretKeySpec(key.encode(), 'AES')
cipher = Cipher.getInstance('AES/CBC/PKCS5Padding')
cipher.init(Cipher.DECRYPT_MODE, secret_key, IvParameterSpec(iv.encode()))
decrypted = cipher.doFinal(base64.b64decode(ciphertext_b64))
return bytearray(decrypted).decode()(Note: Cipher, SecretKeySpec, IvParameterSpec, and base64 are pre-imported in the Jython compiler scope)