Professional Community

SignSaboteur, Web Token Signer

SignSaboteur is a Burp Suite extension for editing, signing, verifying, and attacking signed tokens. It supports different types of tokens: Django TimestampSigner, ItsDangerous Signer, Express cookie-session middleware, OAuth2 Proxy, Tornado's signed cookies, Ruby Rails Signed cookies, Ruby Rails Encrypted cookies, Nimbus JOSE + JWT and Unknown signed string.

It provides automatic detection and in-line editing of token within HTTP requests/responses and WebSocket messages, signing of tokens and automation of brute force attacks against signed tokens implementations.

Features

Wordlist view

The Wordlist View allows to import secrets and salts list files. The extension has own prebuilt dictionary lists. Most secrets are taken from jwt-secrets. As an option, Flask-Unsign-Wordlist can be used. The extension supports JSON strings format for special characters. To use it, quote the secret string with ".

Editor view

The Editor View supports a number of signed tokens: Django, Dangerous, Flask, Express, OAuth2 and Tornado. It allows modification of the signed tokens at Burp Suite's HTTP Request/Response view in the Proxy, History and Repeater tools.
The Dangerous tab can be used for both, Flask and Django tokens, which are selected depending on whether a Dangerous or Django token is detected.
The Unknown tab can be used to brute force unknown signed strings. Guessing mode works only with Balanced and Deep brute force attacks. It supports different message derivation techniques, including:

  • None: message will be used as is
  • CONCAT: separator byte will be removed from the message and that new value will be used to calculate signature
  • Tornado: separator byte will be added to the end of the message string

Editable fields

A JSON text editor is provided to edit each component that contain JSON content:

  • Dangerous Payload
  • Django Payload (except pickle serialized payload)
  • Express Payload
  • JWT Payload

A timestamp editor is provided to edit each component that contain it:

  • Dangerous timestamp
  • Django timestamp
  • OAuth2 Proxy timestamp
  • Tornado timestamp

A hex editor is provided to all signed tokens, except Express signatures. NOTE Express Tab doesn't support signature auto update yet. Please copy it manually to corresponding signature cookie.

Sign

Sign presents a signing dialog that can be used to update the Signature by signing the token using a key from the Keys View that has signing capabilities

Brute force

Brute force will attempt to find secret key that was used for signature generation. If a secret key was found, a dialog will be presented.
The Brute force option implements three types of attacks against signed tokens Signatures:

  • Known keys: Uses previously found secret keys only
  • Fast: Uses default hashing algorithm and key derivation
  • Balanced: Uses all known key derivation technics, except PBKDF2WithHmacSHA1, PBKDF2WithHmacSHA256
  • Deep: Uses all key derivation technics, including different types supported by Ruby Rails framework

Attack

The Attack option implements eight well-known authorization attacks against signed tokens:

  • User claims
  • Wrapped user claims
  • Username and password claims
  • Flask claims
  • Express claims
  • Account user claims
  • Authenticated claims
  • User access_token

For more details on attacks, check out the repository or the Portswigger Research blog post -Introducing SignSaboteur: forge signed web tokens with ease.

Copyright © 2024 PortSwigger Ltd.

Author

Author

Zakhar Fedotkin, PortSwigger

Version

Version

1.0.6

Rating

Rating

Popularity

Popularity

Last updated

Last updated

05 December 2024

Estimated system impact

Estimated system impact

Overall impact: Empty

Memory
Empty
CPU
Empty
General
Empty
Scanner
Empty

You can install BApps directly within Burp, via the BApp Store feature in the Burp Extender tool. You can also download them from here, for offline installation into Burp.

You can view the source code for all BApp Store extensions on our GitHub page.

Follow @BApp_Store on Twitter to receive notifications of all BApp releases and updates.

Please note that extensions are written by third party users of Burp, and PortSwigger Web Security makes no warranty about their quality or usefulness for any particular purpose.

Go back to BappStore

Note:

Please note that extensions are written by third party users of Burp, and PortSwigger Web Security makes no warranty about their quality or usefulness for any particular purpose.