Skip to content

Commit

Permalink
Merge pull request #82 from DolphFlynn/brute
Browse files Browse the repository at this point in the history 
Brute
  • Loading branch information
@DolphFlynn
DolphFlynn authored Jan 1, 2025
2 parents 27eee3a + 3af808b commit 6be33cd
Show file tree
Hide file tree
Showing 17 changed files with 104,779 additions and 0 deletions.
8 changes: 8 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,10 @@ Additionally it facilitates several well-known attacks against JWT implementatio

## Changelog

**Unreleased**
- Add ability to test for HMAC signatures using [weak secrets](https://github.com/wallarm/jwt-secrets).
- Remember last used key within Signing dialog.

**2.4 2024-12-24**
- Add support for non-JSON claims within JWS (Thanks to [@Hannah-PortSwigger](https://github.com/Hannah-PortSwigger) for suggesting this).

Expand Down Expand Up @@ -150,6 +154,7 @@ The `Attack` option implements several well-known attacks against JSON Web Signa
* Signing with an empty HMAC key
* Signing with a *Psychic signature*
* Embedding a Collaborator payload
* Weak HMAC secret

These are described in more detail [below](#Attacks).

Expand Down Expand Up @@ -218,6 +223,9 @@ Burp Suite's [Collaborator](https://portswigger.net/burp/documentation/collabora
is fetching content based on the `x5u` or `jku` headers.
Note that this functionality is only available in Burp Suite Professional.

### Weak HMAC secret
Attempt to brute-force the signing key for JWS with HMAC signatures using known [JWT secrets](https://github.com/wallarm/jwt-secrets).

## Issues / Enhancements
If you have found a bug or think that a particular feature is missing, please raise an issue on the [GitHub repository](https://github.com/DolphFlynn/jwt-editor/issues).

Expand Down
6 changes: 6 additions & 0 deletions src/main/java/com/blackberry/jwteditor/model/jose/Header.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@

import static com.blackberry.jwteditor.utils.JSONUtils.isJsonCompact;
import static com.blackberry.jwteditor.utils.JSONUtils.prettyPrintJSON;
import static com.nimbusds.jose.HeaderParameterNames.ALGORITHM;

public class Header extends Base64Encoded {

Expand All @@ -44,4 +45,9 @@ public JSONObject json()
{
return new JSONObject(decoded());
}

public String algorithm() {
JSONObject json = json();
return json.has(ALGORITHM) ? json.getString(ALGORITHM) : "";
}
}
44 changes: 44 additions & 0 deletions src/main/java/com/blackberry/jwteditor/operations/weak/ErrorLoggingRunnable.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
/*
Author : Dolph Flynn
Copyright 2025 Dolph Flynn
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package com.blackberry.jwteditor.operations.weak;

import burp.api.montoya.logging.Logging;

class ErrorLoggingRunnable implements Runnable {
interface Task {
void action() throws Exception;
}

private final Logging logging;
private final Task task;

ErrorLoggingRunnable(Logging logging, Task task) {
this.logging = logging;
this.task = task;
}

@Override
public void run() {
try {
task.action();
} catch (Exception e) {
logging.logToError(e);
}
}
}
79 changes: 79 additions & 0 deletions src/main/java/com/blackberry/jwteditor/operations/weak/WeakSecretFinder.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
/*
Author : Dolph Flynn
Copyright 2025 Dolph Flynn
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package com.blackberry.jwteditor.operations.weak;

import burp.api.montoya.logging.Logging;
import com.blackberry.jwteditor.model.jose.JWS;

import java.io.Closeable;
import java.util.concurrent.ExecutorService;

import static com.blackberry.jwteditor.operations.weak.WeakSecretsFinderStatus.*;
import static java.util.concurrent.Executors.newSingleThreadExecutor;

public class WeakSecretFinder implements Closeable {
private final ExecutorService executorService;
private final WeakSecretsFinderModel model;
private final Logging logging;

public WeakSecretFinder(WeakSecretsFinderModel model, Logging logging) {
this.model = model;
this.logging = logging;
this.executorService = newSingleThreadExecutor();
}

public void bruteForce(JWS jws) {
executorService.submit(new ErrorLoggingRunnable(logging, new Worker(model, jws)));
}

@Override
public void close() {
executorService.shutdown();
}

private static class Worker implements ErrorLoggingRunnable.Task {
private final WeakSecrets weakSecrets;
private final WeakSecretsFinderModel model;
private final WeakSecretTester tester;

private Worker(WeakSecretsFinderModel model, JWS jws) {
this.model = model;
this.weakSecrets = new WeakSecrets();
this.tester = new WeakSecretTester(jws);
}

@Override
public void action() throws Exception {
String secret;

while (model.status() == RUNNING && (secret = weakSecrets.next()) != null) {
model.setProgress(weakSecrets.progress());

if (tester.isSecretCorrect(secret)) {
model.setStatus(SUCCESS);
model.setSecret(secret);
}
}

if (model.status() == RUNNING) {
model.setStatus(FAILED);
}
}
}
}
49 changes: 49 additions & 0 deletions src/main/java/com/blackberry/jwteditor/operations/weak/WeakSecretTester.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
/*
Author : Dolph Flynn
Copyright 2025 Dolph Flynn
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package com.blackberry.jwteditor.operations.weak;

import com.blackberry.jwteditor.model.jose.JWS;
import com.blackberry.jwteditor.model.keys.JWKKey;
import com.blackberry.jwteditor.model.keys.JWKKeyFactory;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.jwk.OctetSequenceKey;
import com.nimbusds.jose.util.Base64URL;

class WeakSecretTester {
private final JWS jws;
private final JWSHeader verificationInfo;

public WeakSecretTester(JWS jws) {
this.jws = jws;

JWSAlgorithm algorithm = JWSAlgorithm.parse(jws.header().algorithm());
this.verificationInfo = new JWSHeader.Builder(algorithm).build();
}

boolean isSecretCorrect(String secret) throws Exception {
Base64URL encodedSecret = Base64URL.encode(secret);

JWK key = new OctetSequenceKey.Builder(encodedSecret).build();
JWKKey jwkKey = JWKKeyFactory.from(key);

return jws.verify(jwkKey, verificationInfo);
}
}
58 changes: 58 additions & 0 deletions src/main/java/com/blackberry/jwteditor/operations/weak/WeakSecrets.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
/*
Author : Dolph Flynn
Copyright 2024 Dolph Flynn
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package com.blackberry.jwteditor.operations.weak;

import java.io.*;
import java.util.concurrent.atomic.AtomicInteger;

import static java.nio.charset.StandardCharsets.UTF_8;

// Secret Source: https://github.com/wallarm/jwt-secrets
class WeakSecrets {
private static final int TOTAL_NUMBER_OF_SECRETS = 103975;

private final BufferedReader bufferedReader;
private final Object lock;
private final AtomicInteger counter;

WeakSecrets() {
InputStream inputStream = this.getClass().getResourceAsStream("/jwt.secrets.list.txt");

this.bufferedReader = new BufferedReader(new InputStreamReader(inputStream, UTF_8));
this.lock = new Object();
this.counter = new AtomicInteger();
}

String next() {
synchronized (lock) {
counter.incrementAndGet();

try {
return bufferedReader.readLine();
} catch (IOException e) {
throw new UncheckedIOException(e);
}
}
}

int progress() {
double progress = (100.0 * counter.get()) / TOTAL_NUMBER_OF_SECRETS;
return (int) progress;
}
}
60 changes: 60 additions & 0 deletions src/main/java/com/blackberry/jwteditor/operations/weak/WeakSecretsFinderModel.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
/*
Author : Dolph Flynn
Copyright 2024 Dolph Flynn
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package com.blackberry.jwteditor.operations.weak;

import java.util.concurrent.atomic.AtomicInteger;
import java.util.concurrent.atomic.AtomicReference;

import static com.blackberry.jwteditor.operations.weak.WeakSecretsFinderStatus.RUNNING;

public class WeakSecretsFinderModel {
private final AtomicInteger percentageComplete;
private final AtomicReference<WeakSecretsFinderStatus> status;
private final AtomicReference<String> secret;

public WeakSecretsFinderModel() {
this.percentageComplete = new AtomicInteger();
this.status = new AtomicReference<>(RUNNING);
this.secret = new AtomicReference<>();
}

void setProgress(int percentageComplete) {
this.percentageComplete.set(percentageComplete);
}

public int progress() {
return percentageComplete.get();
}

void setSecret(String secret) {
this.secret.set(secret);
}

public String secret() {
return secret.get();
}

public void setStatus(WeakSecretsFinderStatus status) {
this.status.set(status);
}

public WeakSecretsFinderStatus status() {
return status.get();
}
}
23 changes: 23 additions & 0 deletions src/main/java/com/blackberry/jwteditor/operations/weak/WeakSecretsFinderStatus.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
/*
Author : Dolph Flynn
Copyright 2025 Dolph Flynn
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package com.blackberry.jwteditor.operations.weak;

public enum WeakSecretsFinderStatus {
RUNNING, SUCCESS, CANCELLED, FAILED
}
13 changes: 13 additions & 0 deletions src/main/java/com/blackberry/jwteditor/presenter/EditorPresenter.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@
import com.blackberry.jwteditor.view.dialog.operations.*;
import com.blackberry.jwteditor.view.editor.EditorMode;
import com.blackberry.jwteditor.view.editor.EditorView;
import com.blackberry.jwteditor.view.weak.WeakKeyAttackDialog;
import com.nimbusds.jose.util.Base64URL;
import org.json.JSONException;

Expand Down Expand Up @@ -252,6 +253,18 @@ public void onAttackEmbedCollaboratorPayloadClicked() {
showDialogAndUpdateJWS(dialog);
}

public void onAttackWeakHMACSecret() {
JWS jws = getJWS();

if (!jws.header().algorithm().startsWith("HS")) {
messageDialogFactory.showWarningDialog("error_title_unable_to_attack_weak_symmetric", "error_unable_to_attack_weak_symmetric");
return;
}

WeakKeyAttackDialog dialog = new WeakKeyAttackDialog(view.window(), logging, getJWS());
dialog.display();
}

public void onSignClicked() {
signingDialog(SigningDialog.Mode.NORMAL);
}
Expand Down
Loading

0 comments on commit 6be33cd

Please sign in to comment.