diff --git a/CHANGELOG.md b/CHANGELOG.md index d8e7935..2bc9664 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,13 @@ # Changelog +## [1.0.0] - 2024-03-27 + +### Changed + +- Tool name changed to SignSaboteur +- Unknown web signed tokens with empty body excluded from search algorithm to avoid duplicates +- JWT finder separated from Flask/Django implementation + ## [0.0.8] - 2024-03-20 ### Added diff --git a/README.md b/README.md index 93ca9ad..b51ad3d 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # Sessionless -Sessionless is a Burp Suite extension for editing, signing, verifying, attacking signed -tokens: [Django TimestampSigner](https://docs.djangoproject.com/en/5.0/topics/signing/#verifying-timestamped-values), [ItsDangerous Signer](https://itsdangerous.palletsprojects.com/en/2.1.x/signer/), [Express cookie-session middleware](https://expressjs.com/en/resources/middleware/cookie-session.html), [OAuth2 Proxy](https://github.com/oauth2-proxy/oauth2-proxy), [Tornado’s signed cookies](https://www.tornadoweb.org/en/stable/guide/security.html), [Ruby Rails Signed cookies](https://api.rubyonrails.org/classes/ActiveSupport/MessageVerifier.html) +SignSaboteur is a Burp Suite extension for editing, signing, verifying, and attacking signed tokens. +It supports different types of tokens: [Django TimestampSigner](https://docs.djangoproject.com/en/5.0/topics/signing/#verifying-timestamped-values), [ItsDangerous Signer](https://itsdangerous.palletsprojects.com/en/2.1.x/signer/), [Express cookie-session middleware](https://expressjs.com/en/resources/middleware/cookie-session.html), [OAuth2 Proxy](https://github.com/oauth2-proxy/oauth2-proxy), [Tornado’s signed cookies](https://www.tornadoweb.org/en/stable/guide/security.html), [Ruby Rails Signed cookies](https://api.rubyonrails.org/classes/ActiveSupport/MessageVerifier.html) and Unknown signed string. It provides automatic detection and in-line editing of token within HTTP requests/responses and WebSocket messages, @@ -14,7 +14,7 @@ found [here](https://github.com/blackberry/jwt-editor) and [here](https://github * Ensure that Java JDK 17 or newer is installed * From root of project, run the command `./gradlew jar` -* This should place the JAR file `token-library-0.0.7.jar` within the `build/libs` directory +* This should place the JAR file `token-library-1.0.0.jar` within the `build/libs` directory * This can be loaded into Burp by navigating to the `Extensions` tab, `Installed` sub-tab, clicking `Add` and loading the JAR file * This BApp is using the newer Montoya API so it's best to use the latest version of Burp (try the earlier adopter @@ -55,6 +55,7 @@ A JSON text editor is provided to edit each component that contain JSON content: * Dangerous Payload * Django Payload (except pickle serialized payload) * Express Payload +* JWT Payload A timestamp editor is provided to edit each component that contain it: diff --git a/build.gradle b/build.gradle index fc0e1f9..f80bf2a 100644 --- a/build.gradle +++ b/build.gradle @@ -3,7 +3,7 @@ plugins { } group = 'one.d4d' -version = '0.0.8' +version = '1.0.0' description = 'token-signer' repositories { diff --git a/src/main/java/one/d4d/sessionless/itsdangerous/model/SignedTokenObjectFinder.java b/src/main/java/one/d4d/sessionless/itsdangerous/model/SignedTokenObjectFinder.java index 9d90c00..1b0fa84 100644 --- a/src/main/java/one/d4d/sessionless/itsdangerous/model/SignedTokenObjectFinder.java +++ b/src/main/java/one/d4d/sessionless/itsdangerous/model/SignedTokenObjectFinder.java @@ -74,6 +74,14 @@ public static List extractSignedTokenObjects(SignerConfig si }); }); } + if (signerConfig.isEnabled(Signers.JWT)) { + List stringCandidates = Utils.searchByteArrayBase64URLSafe(text); + for (ByteArray candidate : stringCandidates) { + parseJSONWebSignature(candidate.toString()) + .ifPresent(value -> + signedTokensObjects.add(new MutableSignedToken(candidate.toString(), value))); + } + } if (signerConfig.isEnabled(Signers.UNKNOWN)) { List stringCandidates = Utils.searchByteArrayBase64(text); for (ByteArray candidate : stringCandidates) { @@ -105,8 +113,7 @@ private static Map convertCookiesToHashMap(List cookies) public static Optional parseToken(String candidate) { Optional dst = parseDjangoSignedToken(candidate); - dst = dst.isPresent() ? dst : parseDangerousSignedToken(candidate); - return dst.isPresent() ? dst : parseJSONWebSignature(candidate); + return dst.isPresent() ? dst : parseDangerousSignedToken(candidate); } private static List parseParameters(List params) { @@ -457,6 +464,7 @@ public static Optional parseUnknownSignedString(String text) { if (separator == 0) return Optional.empty(); int index = text.lastIndexOf(separator); String message = text.substring(0, index); + if (message.isEmpty()) return Optional.empty(); String signature = text.substring(index + 1); try { byte[] sign = Utils.normalization(signature.getBytes()); diff --git a/src/main/resources/strings.properties b/src/main/resources/strings.properties index 7616c70..8053a33 100644 --- a/src/main/resources/strings.properties +++ b/src/main/resources/strings.properties @@ -3,7 +3,7 @@ button_clean=Clean button_load=Load button_remove=Remove # Burp Suite -tool_name=Sessionless +tool_name=SignSaboteur burp_proxy_comment=%d Tokens wordlist_view=Wordlist proxy_label=Proxy @@ -37,7 +37,7 @@ editor_view_button_attack_known_keys=Known keys editor_view_button_attack_fast=Fast editor_view_button_attack_balanced=Balanced editor_view_button_attack_deep=Deep -burp_editor_tab=Signed tokens +burp_editor_tab=SignSaboteur new_key_dialog_title=New signing key keys_confirm_overwrite=Confirm keys_confirm_overwrite_title=Overwrite key @@ -94,7 +94,7 @@ signer_settings_label=Enabled signers: key_dialog_digest=Digest key_dialog_message_derivation=Message derivation key_dialog_key_derivation=Key derivation -key_dialog_algorythm=Algorythm +key_dialog_algorythm=Algorithm button_add_label=Add new_word_dialog_title=New item new_word_item_label=New item