Redsys PSD2 Request Signer

This extension automatically signs outgoing requests to the Redsys PSD2 API by computing and injecting the required cryptographic headers, removing the need to manually calculate signature values during testing.

Features

• Automatically computes and injects X-Request-ID, Digest, Signature, and TPP-Signature-Certificate headers on matching requests.
• Supports configurable static headers including PSU-IP-Address, TPP-Redirect-URI, TPP-Redirect-Preferred, and Authorization.
• Each static header can be individually enabled or disabled via a checkbox in the extension tab.
• Configurable overwrite mode: when enabled, existing Redsys headers are replaced; when disabled, headers are appended (which may result in duplicates).
• Dedicated configuration tab for specifying private key and certificate file paths.
• Integrates with session handling rules to apply signing automatically to requests matching a defined URL scope.

Usage

1. Open the psd2-extension tab and enter the file paths for your private key and certificate.
2. Configure any static header values (PSU-IP-Address, TPP-Redirect-URI, TPP-Redirect-Preferred, Authorization) and enable the ones you want injected automatically.
3. Set the overwrite option: enable it to replace existing Redsys headers, or disable it to append them.
4. Navigate to Settings → Sessions → Session handling rules and add a new rule.
5. Under Rule actions, select Add → Invoke Burp Extension → PSD2 - Sign Request.
6. Under the Scope tab of the rule, add the target URL scope to restrict which requests are signed.
7. Send a request from Repeater or another tool; the extension will automatically compute and attach all required PSD2 signature headers.