Lately we had to analyze QR-Codes in a pentest. Those held some random data which was used as a token for login and we wanted to know if that data was really random.
If you ever worked with the Burp Suite you may know the Burp Sequencer, which offers some statistical analysis regarding the randomness of tokens which appear in requests (you just have to tell Burp what or where the token is). In our case the QR-Code was delivered as an inline-image in HTML to the browser, like this:
So we didn’t have a chance to call an URL to directly download the QR-Code as a png-image. We needed to process that inline-image. For that purpose I wrote two Python scripts, one for processing the Burp-export and one for actually reading the QR-Code.
I’ll go a bit into detail what the scripts are doing:
Input: The Burp-export from the Sequencer, which holds responses with QR-Codes.
Output: Base64-encoded images, one per line, as a textfile.
Burp encodes the HTML-Response in Base64 in its export, so we need to decode them first. When you open up a Burp-export, you will notice it’s written in XML. You could use some XML-Library to travel through that file or, just as I did, use a regular expression to find the encoded response. Afterwards we will just decode it and then use another regular expression to find the inline-QR-Code.
Note: if you want to use that script, you should adjust the regular expressions to your needs…
Input: Base64-encoded images, one per line, as a textfile. (= output from first script)
Output: Text encoded in the QR-Code, one per line, as a texfile.
This script reads each Base64-encoded image, decodes it to binary and then decodes the containing QR-Code using qrtools.
With those we were able to process about 20k requests in 1-2 minutes and get the contents of the QR-Codes. Those were imported into Burp’s Sequencer to analyze their randomness.
Oh, and if you ever happen to quickly need to encode an image (or any other binary) in Base64, here is a Python 3-liner:
>>> import base64
>>> file = open("path/to/image/troopers.png", "r")
>>> print base64.b64encode(file.read())
Happy Holidays to everyone!