Professional Community
SignSaboteur is a Burp Suite extension for editing, signing, verifying, and attacking signed tokens. It supports different types of tokens: Django TimestampSigner, ItsDangerous Signer, Express cookie-session middleware, OAuth2 Proxy, Tornado's signed cookies, Ruby Rails Signed cookies, Ruby Rails Encrypted cookies, Nimbus JOSE + JWT and Unknown signed string.
It provides automatic detection and in-line editing of token within HTTP requests/responses and WebSocket messages, signing of tokens and automation of brute force attacks against signed tokens implementations.
Features
Wordlist view
The Wordlist View allows to import secrets and salts list files. The extension has own prebuilt dictionary lists. Most secrets are taken from jwt-secrets. As an option, Flask-Unsign-Wordlist can be used. The extension supports JSON strings format for special characters. To use it, quote the secret string with ".
Editor view
The Editor View supports a number of signed tokens: Django, Dangerous, Flask, Express, OAuth2 and Tornado. It allows modification of the signed tokens at Burp Suite's HTTP Request/Response view in the Proxy, History and Repeater tools.
The Dangerous tab can be used for both, Flask and Django tokens, which are selected depending on whether a Dangerous or Django token is detected.
The Unknown tab can be used to brute force unknown signed strings. Guessing mode works only with Balanced and Deep brute force attacks. It supports different message derivation techniques, including:
Editable fields
A JSON text editor is provided to edit each component that contain JSON content:
A timestamp editor is provided to edit each component that contain it:
A hex editor is provided to all signed tokens, except Express signatures. NOTE Express Tab doesn't support signature auto update yet. Please copy it manually to corresponding signature cookie.
Sign
Sign presents a signing dialog that can be used to update the Signature by signing the token using a key from the Keys View that has signing capabilities
Brute force
Brute force will attempt to find secret key that was used for signature generation. If a secret key was found, a dialog will be presented.
The Brute force option implements three types of attacks against signed tokens Signatures:
Attack
The Attack option implements eight well-known authorization attacks against signed tokens:
For more details on attacks, check out the repository or the Portswigger Research blog post -Introducing SignSaboteur: forge signed web tokens with ease.
Copyright © 2024 PortSwigger Ltd.
Author |
Author
Zakhar Fedotkin, PortSwigger |
---|---|
Version |
Version
1.0.6 |
Rating |
Rating |
Popularity |
Popularity |
Last updated |
Last updated
05 December 2024 |
Estimated system impact |
Estimated system impact
Overall impact: Empty
Memory
Empty
CPU
Empty
General
Empty
Scanner
Empty
|
You can install BApps directly within Burp, via the BApp Store feature in the Burp Extender tool. You can also download them from here, for offline installation into Burp.
|
You can view the source code for all BApp Store extensions on our GitHub page. |
|
Follow @BApp_Store on Twitter to receive notifications of all BApp releases and updates. |
Please note that extensions are written by third party users of Burp, and PortSwigger Web Security makes no warranty about their quality or usefulness for any particular purpose.
Please note that extensions are written by third party users of Burp, and PortSwigger Web Security makes no warranty about their quality or usefulness for any particular purpose.