search

srikanthramu / webauthn-cbor-burp

Burp Extension to Decode WebAuthn CBOR
Apache License 2.0
1 stars 2 forks source link

Illegal base64 character when decoding attestationObject #5

Open raulsiles opened 11 months ago

raulsiles commented 11 months ago

The WebAuthn CBOR Decode Burp extension (v1.0, 09 Dec 2022) has been installed from the BApp Store.

When a request containing an "attestationObject" attribute is intercepted, going to the "WebAuthn CBOR Decode" tab displays nothing. The reason is the extension generates a "java.lang.IllegalArgumentException: Illegal base64 character XX" exception. The error is available in the "Errors" tab for the Burp extension:

java.lang.IllegalArgumentException: Illegal base64 character 2b
    at java.base/java.util.Base64$Decoder.decode0(Base64.java:848)
    at java.base/java.util.Base64$Decoder.decode(Base64.java:566)
    at java.base/java.util.Base64$Decoder.decode(Base64.java:589)
    at burp.BurpExtender$WebAuthnCBORInputTab.setMessage(BurpExtender.java:114)
    at burp.Zfpd.setRequestResponse(Unknown Source)
    at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)
    at java.base/java.lang.reflect.Method.invoke(Method.java:578)
    at burp.Zbbd.invoke(Unknown Source)
    at jdk.proxy2/jdk.proxy2.$Proxy34.setRequestResponse(Unknown Source)
    at burp.Zj4.Zw(Unknown Source)
    at burp.Zizw.ZE(Unknown Source)
    at burp.Zrg3.Zo(Unknown Source)
    at burp.Zfj6.ZX(Unknown Source)
    at burp.Zfj6.Zz(Unknown Source)
    at burp.Zdnv.ZF(Unknown Source)
    at burp.Zdnv.Za(Unknown Source)
    at burp.Zdnv.ZT(Unknown Source)
    at burp.Zdnv.lambda$configureViewControls$6(Unknown Source)
    at java.desktop/javax.swing.JTabbedPane.fireStateChanged(JTabbedPane.java:446)
    at java.desktop/javax.swing.JTabbedPane$ModelListener.stateChanged(JTabbedPane.java:297)
    at java.desktop/javax.swing.DefaultSingleSelectionModel.fireStateChanged(DefaultSingleSelectionModel.java:148)
    at java.desktop/javax.swing.DefaultSingleSelectionModel.setSelectedIndex(DefaultSingleSelectionModel.java:79)
    at java.desktop/javax.swing.JTabbedPane.setSelectedIndexImpl(JTabbedPane.java:650)
    at java.desktop/javax.swing.JTabbedPane.setSelectedIndex(JTabbedPane.java:625)
    at java.desktop/javax.swing.plaf.basic.BasicTabbedPaneUI$Handler.mousePressed(BasicTabbedPaneUI.java:4140)
    at com.formdev.flatlaf.ui.FlatTabbedPaneUI$Handler.mousePressed(FlatTabbedPaneUI.java:2697)
    at java.desktop/java.awt.AWTEventMulticaster.mousePressed(AWTEventMulticaster.java:287)
    at java.desktop/java.awt.Component.processMouseEvent(Component.java:6617)
    at java.desktop/javax.swing.JComponent.processMouseEvent(JComponent.java:3398)
    at java.desktop/java.awt.Component.processEvent(Component.java:6385)
    at java.desktop/java.awt.Container.processEvent(Container.java:2266)
    at java.desktop/java.awt.Component.dispatchEventImpl(Component.java:4995)
    at java.desktop/java.awt.Container.dispatchEventImpl(Container.java:2324)
    at java.desktop/java.awt.Component.dispatchEvent(Component.java:4827)
    at java.desktop/java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4948)
    at java.desktop/java.awt.LightweightDispatcher.processMouseEvent(Container.java:4572)
    at java.desktop/java.awt.LightweightDispatcher.dispatchEvent(Container.java:4516)
    at java.desktop/java.awt.Container.dispatchEventImpl(Container.java:2310)
    at java.desktop/java.awt.Window.dispatchEventImpl(Window.java:2780)
    at java.desktop/java.awt.Component.dispatchEvent(Component.java:4827)
    at java.desktop/java.awt.EventQueue.dispatchEventImpl(EventQueue.java:775)
    at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:720)
    at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:714)
    at java.base/java.security.AccessController.doPrivileged(AccessController.java:400)
    at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:87)
    at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:98)
    at java.desktop/java.awt.EventQueue$5.run(EventQueue.java:747)
    at java.desktop/java.awt.EventQueue$5.run(EventQueue.java:745)
    at java.base/java.security.AccessController.doPrivileged(AccessController.java:400)
    at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:87)
    at java.desktop/java.awt.EventQueue.dispatchEvent(EventQueue.java:744)
    at java.desktop/java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:203)
    at java.desktop/java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:124)
    at java.desktop/java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:113)
    at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:109)
    at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
    at java.desktop/java.awt.EventDispatchThread.run(EventDispatchThread.java:90)

I can privately provide the full HTTP request and/or the "attestationObject" attribute.

raulsiles commented 11 months ago

It is possible to get the error above when experimenting with Yubico's WebAuthn demo website (https://demo.yubico.com/webauthn) using Chrome. Potentially, this website is using slightly different format or responses compared to other Relying Parties (RPs).