Burp plugin for the 1Password session protocol for use by security researchers. https://bugcrowd.com/agilebits

Overview

1Password session analyzer plugin for Burp Suite

This repository contains a Burp plugin that adds a special message editor view to Burp to analyze and edit requests made to 1Password.com.

What is this for?

As we say in our bounty brief, 1Password is not your regular web application. The first time security researchers open their HTTP proxy of choice when testing 1Password.com, they soon notice that this does not look like a regular web app at all. Rather than regular HTML or JSON, the server returns opaque blobs of content. When the 1Password.com web app sends a payload to the server, it is also an opaque blob, and any request you tamper with in the slightest returns an error.

This behavior is the result of the security features of 1Password.com. We require every request and response that are specific to a 1Password account to be protected by the account's master password and secret key, which means every bit of data that gets sent is encrypted, and every request is authenticated.

Nice, but this makes bug hunting really hard!

It does! Using common tools to find security bugs on web applications really does not work well on 1Password.com. If you want to do any sort of legitimate inspection of 1Password.com - while fully knowing the master password and secret key for your account - you'll need some extra tools.

In order to make bug hunting with 1Password.com a lot easier, we are publishing this Burp plugin to help you analyze and modify requests sent between the 1Password.com web application and server as long as you have a valid session key. The next section dives into how session management with 1Password.com works.

Encrypting payloads

At 1Password we want to make one thing very sure: no one should be able to access your data, without your master password and secret key. That applies to the vault data stored on your computer or phone, and to the data that we store on our servers. It also applies to any network infrastructure that sits between you and the 1Password servers. Proxy servers sitting between you and 1Password.com should not be able to see what you do with your 1Password account, even if they manage to break TLS.

Therefore, when you log in to 1Password.com or any of the 1Password apps, we use a Password Authenticated Key Exchange (PAKE) to derive what we call a session key. At this time, we use a modified version of the Secure Remote Password Protocol (SRP) as our PAKE. This derived session key is used to add an additional layer of encryption on top of the TLS we use for all requests.

Our APIs are all JSON-based, and all JSON payloads are encrypted using (at the time of writing) an AES256 GCM based cipher. This is wrapped in another JSON payload, which are the blobs being sent to and received from 1Password.com. Since the session key derives directly from your master password and secret key, having access to the session key is the equivalent to knowing your master password and secret key.

Session management overview

Authenticating requests

Once you are able to successfully encrypt and decrypt messages with the session key, you'll soon notice that whenever you modify your message the server still rejects your requests. What is going on?

There is a separate mechanism protecting requests, the request MAC. Every request 1Password clients send to the server includes a request header named X-Agilebits-Request-MAC, which is of the form v1|25|8MPu848dH2kKdVRa. The three components of this request MAC are a version indicator (always v1 right now), an incrementing request identifier and 12 bytes encoded as base64 that is a truncated message authentication code.

The request MAC ensures that certain properties of the request can only be generated by a client. Since the request MAC stores a counter of which request was made to the server, which the server verifies, it prevents replaying encrypted messages. As an aside, this also categorically prevents cross site request forgery, as making any request to your account requires some access to the session key locally.

The request MAC value is derived using the following process:

authString := sessionId || "|" || requestMethod || "|" || url || versionIndicator || requestId
derivationKey := HMAC(sessionKey, "He never wears a Mac, in the pouring rain. Very strange.")
mac := HMAC(authString, derivationKey)
headerValue := base64url(mac[0:12])

The HMAC algorithm currently used for v1 is HMAC-SHA256.

Using this plugin

The Burp plugin works with Burp's message editor and contains its own custom implementation of 1Password.com's session management protocol. You activate it by loading the JAR file in Burp's extender tab, like any other Burp plugin.

When activated, it provides a number of inputs, such as an input for the original HTTP message, and an input for the decrypted payload (if present). It also provides a way to edit the request identifier, the key identifier and the session key itself. Inputting the correct session key will automatically decrypt the message and allow you to inspect and modify payloads and requests.

Please note: The Burp plugin contains automatic detection of 1Password session data. It's only available on sessions with 1Password.com, and cannot be activated on sessions that don't contain 1Password session data.

Example screenshot of the plugin

Since this Burp plugin is for the Burp message editor, it can be used only in the following places in Burp:

  • Proxy -> Intercept
  • Proxy -> HTTP history
  • Repeater

How do I obtain the session key?

You might wonder how you obtain the session key from your session on 1Password.com. Here we are going to ask you to do a little homework yourself. You will probably understand we can not provide a stable way of getting access to your own session key, but you can probably find the session key yourself by knowing that we use standard JavaScript APIs to do the encryption in the 1Password frontend.

How to build yourself

Make sure you to install Java 15 on your computer. On a Mac with Homebrew, run:

brew tap AdoptOpenJDK/openjdk
brew install adoptopenjdk15

./gradlew fatJar builds this plugin and puts the resulting JAR file in build/libs.

How to debug

To be able to connect a Java debugger to your Burp plugin, you must manually start Burp from your command line. On a Mac, run:

java -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address='*:5005' -jar /Applications/Burp\ Suite\ Community\ Edition.app/Contents/java/app/burpsuite_community.jar

You can now connect your debugger on local port 5005. For example, in IntelliJ IDEA you can add a Remote JVM debugger configuration with the following command line configured: -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:5005

How to test

Run the tests using ./gradlew test. The test output results are in build/test-results.

You might also like...

完整教学!从0到1开发,手把手教你学会开发一个spring security + jwt + vue的前后端分离项目! 线上演示:https://markerhub.com/vueadmin/

完整教学!从0到1开发,手把手教你学会开发一个spring security + jwt + vue的前后端分离项目! 线上演示:https://markerhub.com/vueadmin/

VueAdmin - 基于SpringBoot+Jwt+Vue的前后端分离后台管理系统 完整教学!从0到1开发,手把手教你学会开发一个spring security + jwt + vue的前后端分离项目! 线上体验:https://www.markerhub.com/vueadmin/ 说明: 首

Jan 4, 2023

Spring-react-security - 🌶 Spring Security & React 🌶

Spring-react-security - 🌶 Spring Security & React 🌶

Spring-react-security - 🌶 Spring Security & React 🌶

Mar 28, 2022

RSocket is a binary protocol for use on byte stream transports such as TCP, WebSockets, and Aeron

RSocket RSocket is a binary protocol for use on byte stream transports such as TCP, WebSockets, and Aeron. It enables the following symmetric interact

Dec 30, 2022

Burp Extension for BFAC (Advanced Backup-File Artifacts Testing for Web-Applications)

Burp Extension for BFAC (Advanced Backup-File Artifacts Testing for Web-Applications)

BFAC - Burp Extension Burp Extension for BFAC (Advanced Backup-File Artifacts Testing for Web-Applications). What is BFAC - Burp Extension ? Backup fi

Jul 16, 2022

Introduction to CYS4-SensitiveDiscoverer, a Burp extension that discovers sensitive information inside HTTP messages.

CYS4-SensitiveDiscoverer Introduction Burp Suite is a useful tool used to do web application security testing. While Burp Suite provides a lot of func

Nov 16, 2022

Burp Active Scan extension to identify Log4j vulnerabilities CVE-2021-44228 and CVE-2021-45046

Log4j-HammerTime This Burp Suite Active Scanner extension validates exploitation of the Apache Log4j CVE-2021-44228 and CVE-2021-45046 vulnerabilities

Jan 8, 2022

DEPRECATED: use https://github.com/jhipster/jhipster-bom instead

JHipster BOM and server-side library - DEPRECATED Full documentation and information is available on our website at https://www.jhipster.tech/ This pr

Nov 29, 2022

Maven port of the Netflix Gradle code generation plugin for graphql. https://github.com/Netflix/dgs-codegen

This is port of the netflix codegen plugin for Gradle. Found here. COPIED FROM NETFLIX DOCUMENTATION. The DGS Code Generation plugin generates code fo

Dec 24, 2022

Plugin-fineagent - A plugin for the ja-netfilter, it allows you to use fineagent in ja-netfilter.

plugin-fineagent A plugin for the ja-netfilter, it allows you to use fineagent in ja-netfilter. Use the mvn clean package command to compile and use F

Jun 25, 2022

DnD Plugin submission using Atlas. Plugin inspired on the TrollGUI bukkit plugin

💡 PunishGUI DnD Plugin submission using Atlas. Plugin inspired on the TrollGUI bukkit plugin 📜 Dependencies 📃 Paper 1.18 🌎 Atlas 💻 Commands /hell

Jan 19, 2022

Protocol Buffers - Google's data interchange format

Protocol Buffers - Google's data interchange format Copyright 2008 Google Inc. https://developers.google.com/protocol-buffers/ Overview Protocol Buffe

Jan 1, 2023

gRPC and protocol buffers for Android, Kotlin, and Java.

Wire “A man got to have a code!” - Omar Little See the project website for documentation and APIs. As our teams and programs grow, the variety and vol

Dec 23, 2022

HornetQ is an open source project to build a multi-protocol, embeddable, very high performance, clustered, asynchronous messaging system.

HornetQ If you need information about the HornetQ project please go to http://community.jboss.org/wiki/HornetQ http://www.jboss.org/hornetq/ This file

Dec 3, 2022

gRPC and protocol buffers for Android, Kotlin, and Java.

Wire “A man got to have a code!” - Omar Little See the project website for documentation and APIs. As our teams and programs grow, the variety and vol

Jan 5, 2023

Twitter's collection of LZO and Protocol Buffer-related Hadoop, Pig, Hive, and HBase code.

Elephant Bird About Elephant Bird is Twitter's open source library of LZO, Thrift, and/or Protocol Buffer-related Hadoop InputFormats, OutputFormats,

Jan 5, 2023

cdp4j - Chrome DevTools Protocol for Java

cdp4j - Browser automation libray for Java cdp4j is Java library with a clear and concise API to automate Chrome/Chromium based browser. It use Google

Jun 16, 2022

Golang implementation of the Alaya protocol

Go PlatON Welcome to the PlatON-Go source code repository! This is an Ethereum-based、high-performance and high-security implementation of the PlatON p

Oct 14, 2022

IoT Platform, Device management, data collection, processing and visualization, multi protocol, rule engine, netty mqtt client

IoT Platform, Device management, data collection, processing and visualization, multi protocol, rule engine, netty mqtt client

GIoT GIoT: GIoT是一个开源的IoT平台,支持设备管理、物模型,产品、设备管理、规则引擎、多种存储、多sink、多协议(http、mqtt、tcp,自定义协议)、多租户管理等等,提供插件化开发 Documentation Quick Start Module - giot-starte

Sep 13, 2022

Java UCI Protocol implementation (Universal Chess Engine)

Java UCI Protocol implementation (Universal Chess Engine)

A simple UCI (Universal Chess Interface) Client written in Java. Tested with Stockfish 13. Documentation Starting / Closing the client By using the st

Jan 2, 2023
Comments
  • Maintenance and fixes for release action

    Maintenance and fixes for release action

    I noticed two issues with the release action in this repository

    • The method to build a jar with all dependencies wasn't working after the Gradle 7 migration, breaking the release artifacts
    • The release action used GitHub actions that threw deprecation warnings
    • We were still on an old version of the Gradle wrapper which made builds slightly slower and noisy

    This PR addresses all.

    opened by DCKcode 0
  • Maintenance: update Java version and update/remove dependencies

    Maintenance: update Java version and update/remove dependencies

    I'm using this PR to merge a few maintenance tasks. What this MR does:

    • Updates the Java version from the unsupported 15 to Java 17 LTS, where it can stay unchanged for longer. Updates are in the readme as well as the GitHub Action that builds a release.
    • Do some plumbing in Gradle to use the latest version there also.
    • Updates the few dependencies we have to the latest version.
    • Removes a dependency I used for a functional programming construct that I replaced with a home made utility class.

    These changes are all lightly intertwined so I figured I'd bundle them in a single PR .

    opened by DCKcode 0
Releases(release-2022-10-28)
Owner
1Password
1Password remembers all your passwords for you. It keeps your digital life secure and always available, safe behind the one password that only you know.
1Password
HopLa Burp Suite Extender plugin - Adds autocompletion support and useful payloads in Burp Suite

HopLa ?? All the power of PayloadsAllTheThings, without the overhead. This extension adds autocompletion support and useful payloads in Burp Suite to

Synacktiv 522 Dec 24, 2022
Generate a dynamic PAC script that will route traffic to your Burp proxy only if it matches the scope defined in your Burp target.

Burp PAC Server This Burp Extension generates a dynamic Proxy Auto-Configuration (PAC) script that will route traffic to your Burp proxy only if it ma

null 30 Jun 13, 2022
循序渐进,学习Spring Boot、Spring Boot & Shiro、Spring Batch、Spring Cloud、Spring Cloud Alibaba、Spring Security & Spring Security OAuth2,博客Spring系列源码:https://mrbird.cc

Spring 系列教程 该仓库为个人博客https://mrbird.cc中Spring系列源码,包含Spring Boot、Spring Boot & Shiro、Spring Cloud,Spring Boot & Spring Security & Spring Security OAuth2

mrbird 24.8k Jan 6, 2023
OAUTHScan is a Burp Suite Extension written in Java with the aim to provide some automatic security checks

OAUTHScan is a Burp Suite Extension written in Java with the aim to provide some automatic security checks, which could be useful during penetration testing on applications implementing OAUTHv2 and OpenID standards.

Maurizio S 163 Nov 29, 2022
Magician is an asynchronous non-blocking network protocol analysis package, supports TCP, UDP protocol, built-in Http, WebSocket decoder

An asynchronous non-blocking network protocol analysis package Project Description Magician is an asynchronous non-blocking network protocol analysis

贝克街的天才 103 Nov 30, 2022
RocketMQ-on-Pulsar - A protocol handler that brings native RocketMQ protocol to Apache Pulsar

RocketMQ on Pulsar(RoP) RoP stands for RocketMQ on Pulsar. Rop broker supports RocketMQ-4.6.1 protocol, and is backed by Pulsar. RoP is implemented as

StreamNative 88 Jan 4, 2023
A super simple Minecraft Session Stealer

Simple Minecraft Session Stealer A super simple Minecraft Session Stealer. Setup Download the Forge 1.8.9 MDK at the forge website, extract it to a fo

CustomPayload 5 Feb 10, 2022
Demo Repo for our CDC-based Strangler Fig Pattern Session @ VoxxedDays Romania 2021

Strangler Fig Pattern Demo Build applications Before being able to spin up the docker-compose based demo environment please make sure to successfully

Hans-Peter Grahsl 5 Feb 20, 2022
A handy plugin for copying requests/responses directly from Burp, some extra magic included.

RIO BurpSuite plugin Request Input Output BurpSuite plugin A.K.A RIO - A handy plugin for copying requests/responses directly from Burp, some extra ma

Daniel Kalinowski 13 Nov 22, 2022
Copy Regex Matches is a Burp Suite plugin to copy regex matches from selected requests and/or responses to the clipboard.

Copy Regex Matches Copy Regex Matches is a Burp Suite plugin to copy regex matches from selected requests and/or responses to the clipboard. Install D

null 28 Dec 2, 2022