A Burp Suite Jython extension to encrypt/decrypt AES payloads directly inside Burp.
- 🔑 AES Key & IV input (hex or text)
- ⚙️ Modes: CBC / ECB
- 📝 Encrypt / Decrypt / Swap buttons
- 📜 Right-click: Encrypt request / Decrypt response
- 📦 Output in Base64
- Install Jython (2.7+)
- In Burp:
Extender → Options → Python Environment → Jython jarExtender → Extensions → Add → Python → burp_aes_extension.py
- Tab AES Helper will appear ✅
- Enter AES Key (16/24/32 bytes) & IV (for CBC)
- Paste plaintext/Base64 → Encrypt/Decrypt
- Use Swap to move output back
- Right-click requests/responses → AES Encrypt/Decrypt
- TIPS : remove length 16, 24 for better result to find IV and AES Key in javascript file
(function () {
const seen = new Set(); // track unique strings
const validLengths = new Set([16, 24, 32]);
function scanScript(code, sourceName) {
const lines = code.split(/\r?\n/);
const regex = /"((?:\\.|[^"\\])*)"/g; // match only double-quoted strings
lines.forEach((line, idx) => {
for (const match of line.matchAll(regex)) {
const raw = match[1];
const value = raw
.replace(/\\n/g, '\n')
.replace(/\\r/g, '\r')
.replace(/\\t/g, '\t')
.replace(/\\"/g, '"')
.replace(/\\\\/g, '\\');
if (validLengths.has(value.length) && !seen.has(value)) {
seen.add(value);
console.log(`${sourceName}:${idx + 1}: "${value}" (length=${value.length})`);
}
}
});
}
document.querySelectorAll("script").forEach((s, i) => {
if (s.src) {
// external script (blocked if CORS not allowed)
fetch(s.src).then(r => r.text()).then(code => {
scanScript(code, s.src);
}).catch(() => {
console.warn("Skipped (CORS blocked):", s.src);
});
} else if (s.textContent.trim()) {
scanScript(s.textContent, `inline-script-${i+1}`);
}
});
})();