Passkey Raider is a Burp Suite extension designed to facilitate comprehensive testing of Passkey systems. It offers three core functionalities:
- Decode and encode Passkey data in HTTP requests.
- Automatically replace the public key in Passkey registration flows with a generated public key.
- Automatically sign data in Passkey authentication flows using a generated private key.
Features
- Regex Support:
Extract Passkey components (clientDataJSON, attestationObject, authenticatorData, and signature) from HTTP requests. - Encoding Support:
Handle the following formats:
- URL-encoded
- Base64
- Base64URL
- Passkey Data Type Support:
- clientDataJSON
- AttestationObject
- authenticatorData
- Attestation Statement (None, AndroidKey, AndroidSafetyNet, AppleAnonymous, FIDOU2F, Packed, TPM)
- Key Pair Generation:
Generate key pairs using algorithms such as RS256, ES256, RS1, EdDSA, RS384, RS512, ES384, and ES512. - Automation:
- Automatically replace a public key during Passkey registration flows.
- Automatically sign data in Passkey authentication flows.
- Project Integration:
Save and load settings directly into Burp Suite project file. - Request Highlighting:
Identify and highlight Passkey registration and authentication requests in Burp Suite's Proxy tool.
Installation
From the BApp Store
The recommended and easiest method is via Burp Suite's BApp Store. Refer to the Burp Suite documentation for detailed steps.Manual Installation
- Download the latest release: Passkey-Raider-1.0.1.jar.
- Open Burp Suite, navigate to Extensions > Add, and load the JAR file.