Thanks to visit codestin.com
Credit goes to github.com

Skip to content
/ ZyxelAES Public

A Burp Suite extension to decrypt and edit Zyxel router configuration portal API traffic.

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

lorenzodifuccia/ZyxelAES

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
lib/burp/api/montoya
lib/burp/api/montoya
 
 
release
release
 
 
src/main/java
src/main/java
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
pom.xml
pom.xml
 
 

Repository files navigation

Zyxel AES - Burp Extension

A Burp Suite extension to decrypt and edit Zyxel router configuration portal API traffic.
This extension enables security researchers and penetration testers to view and modify encrypted API requests and responses on-the-fly, directly within Burp Suite.



Features

  1. Decrypts and displays AES-encrypted JSON payloads in Burp Suite Proxy, Repeater, and Intruder.
  2. Edit and re-encrypt content before forwarding requests.
  3. Set the AES key via a Burp context-menu action.
  4. Optionally logs AES keys to a file for auditing or reuse.

Setup

  1. Load the extension in Burp Suite.
  2. Configure Zyxel front-end to expose the AES key. Create a new Match / Replace rule in Burp Suite in order to modify the JavaScript code to let it add the current AES key as a header in every request:
    • Match: 0!=a&&e.setRequestHeader("CSRFToken",a)
    • Replace:
      0!=a&&e.setRequestHeader("CSRFToken",a),e.setRequestHeader("AES-Key",localStorage.getItem("AesKey"))

Usage

  • Right-click on any request/response in Burp and select "Set AES Key" to input the Base64-encoded AES key.
  • Optionally, set a log file path to save AES keys for future use.
  • The extension will automatically detect and decrypt Zyxel API traffic containing AES-encrypted JSON with "content" and "iv" fields.
  • Edit decrypted content in the custom tab and forward the modified request; it will be re-encrypted automatically.

Known issue: After changing the AES key, select a different message and re-open the original request to refresh the extension tab.

Zyxel encryption overview

Zyxel router configuration portal encrypts its API traffic using a PGP-like hybrid encryption scheme.
The front-end retrieves the router’s RSA public key via the /getRSAPublickKey API and generates a random AES key for the session.
During the login request (/UserLogin), the front-end sends the AES key - encrypted with the router's RSA public key - together with the user credentials.
From that point on, all subsequent API requests and responses are encrypted with the established AES session key.

{
   "content": "<AES-encrypted JSON with the API request/response payload>",
   "key": "<AES key, exchanged during login and encrypted with the RSA public key>",
   "iv": "<IV used for this specific request/response>",
}

Build

mvn package

Requirements:

  • Burp Suite (Community or Professional)
  • Java 8+
  • Maven

The JAR file will be generated in the target directory.

About

A Burp Suite extension to decrypt and edit Zyxel router configuration portal API traffic.

Topics

burpsuite burp-extensions zyxel

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

v1.0.0 Latest
Sep 12, 2025

Languages