## [1.0.0] - 2024-03-27

### Changed

- Tool name changed to SignSaboteur
- Unknown web signed tokens with empty body excluded from search algorithm to avoid duplicates
- JWT finder separated from Flask/Django implementation

### Changed

- Regex token search method was removed due to poor performance. New search algorithm was introduced instead.

CHANGELOG.md

@@ -1,5 +1,13 @@
 # Changelog
 
+## [1.0.0] - 2024-03-27
+
+### Changed
+
+- Tool name changed to SignSaboteur
+- Unknown web signed tokens with empty body excluded from search algorithm to avoid duplicates
+- JWT finder separated from Flask/Django implementation
+
 ## [0.0.8] - 2024-03-20
 
 ### Added

README.md

@@ -1,7 +1,7 @@
 # Sessionless
 
-Sessionless is a Burp Suite extension for editing, signing, verifying, attacking signed
-tokens: [Django TimestampSigner](https://docs.djangoproject.com/en/5.0/topics/signing/#verifying-timestamped-values), [ItsDangerous Signer](https://itsdangerous.palletsprojects.com/en/2.1.x/signer/), [Express cookie-session middleware](https://expressjs.com/en/resources/middleware/cookie-session.html), [OAuth2 Proxy](https://github.com/oauth2-proxy/oauth2-proxy), [Tornado’s signed cookies](https://www.tornadoweb.org/en/stable/guide/security.html), [Ruby Rails Signed cookies](https://api.rubyonrails.org/classes/ActiveSupport/MessageVerifier.html)
+SignSaboteur is a Burp Suite extension for editing, signing, verifying, and attacking signed tokens. 
+It supports different types of tokens: [Django TimestampSigner](https://docs.djangoproject.com/en/5.0/topics/signing/#verifying-timestamped-values), [ItsDangerous Signer](https://itsdangerous.palletsprojects.com/en/2.1.x/signer/), [Express cookie-session middleware](https://expressjs.com/en/resources/middleware/cookie-session.html), [OAuth2 Proxy](https://github.com/oauth2-proxy/oauth2-proxy), [Tornado’s signed cookies](https://www.tornadoweb.org/en/stable/guide/security.html), [Ruby Rails Signed cookies](https://api.rubyonrails.org/classes/ActiveSupport/MessageVerifier.html)
 and Unknown signed string.
 
 It provides automatic detection and in-line editing of token within HTTP requests/responses and WebSocket messages,
@@ -14,7 +14,7 @@ found [here](https://github.com/blackberry/jwt-editor) and [here](https://github
 
 * Ensure that Java JDK 17 or newer is installed
 * From root of project, run the command `./gradlew jar`
-* This should place the JAR file `token-library-0.0.7.jar` within the `build/libs` directory
+* This should place the JAR file `token-library-1.0.0.jar` within the `build/libs` directory
 * This can be loaded into Burp by navigating to the `Extensions` tab, `Installed` sub-tab, clicking `Add` and loading
   the JAR file
 * This BApp is using the newer Montoya API so it's best to use the latest version of Burp (try the earlier adopter
@@ -55,6 +55,7 @@ A JSON text editor is provided to edit each component that contain JSON content:
 * Dangerous Payload
 * Django Payload (except pickle serialized payload)
 * Express Payload
+* JWT Payload
 
 A timestamp editor is provided to edit each component that contain it:
 

build.gradle

@@ -3,7 +3,7 @@ plugins {
 }
 
 group = 'one.d4d'
-version = '0.0.8'
+version = '1.0.0'
 description = 'token-signer'
 
 repositories {

src/main/java/one/d4d/sessionless/itsdangerous/model/SignedTokenObjectFinder.java

@@ -74,6 +74,14 @@ public static List<MutableSignedToken> extractSignedTokenObjects(SignerConfig si
                 });
             });
         }
+        if (signerConfig.isEnabled(Signers.JWT)) {
+            List<ByteArray> stringCandidates  = Utils.searchByteArrayBase64URLSafe(text);
+            for (ByteArray candidate : stringCandidates) {
+                parseJSONWebSignature(candidate.toString())
+                        .ifPresent(value ->
+                                signedTokensObjects.add(new MutableSignedToken(candidate.toString(), value)));
+            }
+        }
         if (signerConfig.isEnabled(Signers.UNKNOWN)) {
             List<ByteArray> stringCandidates  = Utils.searchByteArrayBase64(text);
             for (ByteArray candidate : stringCandidates) {
@@ -105,8 +113,7 @@ private static Map<String, String> convertCookiesToHashMap(List<Cookie> cookies)
 
     public static Optional<SignedToken> parseToken(String candidate) {
         Optional<SignedToken> dst = parseDjangoSignedToken(candidate);
-        dst = dst.isPresent() ? dst : parseDangerousSignedToken(candidate);
-        return dst.isPresent() ? dst : parseJSONWebSignature(candidate);
+        return dst.isPresent() ? dst : parseDangerousSignedToken(candidate);
     }
 
     private static List<MutableSignedToken> parseParameters(List<ParsedHttpParameter> params) {
@@ -457,6 +464,7 @@ public static Optional<SignedToken> parseUnknownSignedString(String text) {
         if (separator == 0) return Optional.empty();
         int index = text.lastIndexOf(separator);
         String message = text.substring(0, index);
+        if (message.isEmpty()) return Optional.empty();
         String signature = text.substring(index + 1);
         try {
             byte[] sign = Utils.normalization(signature.getBytes());

src/main/resources/strings.properties

@@ -3,7 +3,7 @@ button_clean=Clean
 button_load=Load
 button_remove=Remove
 # Burp Suite
-tool_name=Sessionless
+tool_name=SignSaboteur
 burp_proxy_comment=%d Tokens
 wordlist_view=Wordlist
 proxy_label=Proxy
@@ -37,7 +37,7 @@ editor_view_button_attack_known_keys=Known keys
 editor_view_button_attack_fast=Fast
 editor_view_button_attack_balanced=Balanced
 editor_view_button_attack_deep=Deep
-burp_editor_tab=Signed tokens
+burp_editor_tab=SignSaboteur
 new_key_dialog_title=New signing key
 keys_confirm_overwrite=Confirm
 keys_confirm_overwrite_title=Overwrite key
@@ -94,7 +94,7 @@ signer_settings_label=Enabled signers:
 key_dialog_digest=Digest
 key_dialog_message_derivation=Message derivation
 key_dialog_key_derivation=Key derivation
-key_dialog_algorythm=Algorythm
+key_dialog_algorythm=Algorithm
 button_add_label=Add
 new_word_dialog_title=New item
 new_word_item_label=New item