Awesome
WebAuthn CBOR Burp
WebAuthn CBOR is a Burp Extension to decode WebAuthn CBOR format. WebAuthn is a W3C Standard to support strong authentication of users. WebAuthn depends on several other specifications such as Base64url encoding, Concise Binary Object Representation (CBOR), CBOR Object Signing and Encryption (COSE) to name a few. For more details, refer 3. Dependencies. This Burp extension enables to view the decoded CBOR format.
Installation
- Clone or download this repo.
- Compile the code:
gradle bigJar
. The compiled jar location isbuild/libs/webauthn-cbor-burp-all-1.0.jar
- Follow the instructions to load the jar.
Environment Requirements
This extension was developed and tested with the following setup:
- JDK 11
- Gradle 7.4.2
Usage
- Intercept the WebAuthn request/response using Burp proxy
- If the request has a
attestationObject
parameter, a new TabWebAuthn CBOR Decode
will be added and the decoded CBOR format will be dispalyed. See Screenshot section below.
Testing
- https://webauthn.io/ has a demo application to illustrate WebAuthn request/response.
- Chrome has WebAuthn authenticator emulator - https://developer.chrome.com/docs/devtools/webauthn/
Screenshot
attestationObject in CBOR format
Decoded View
Acknowledgement
This extension depends on various other libraries and their transient dependencies. See the build.gradle for the list of direct dependencies. Thanks to all the contributors. This Burp Extension is based on https://github.com/PortSwigger/example-custom-editor-tab/tree/master/java.