Add ability to sign JWS' during intruder attack

DolphFlynn / jwt-editor

A Burp Suite extension for creating and editing JSON Web Tokens. This tool supports signing and verification of JWS, encryption and decryption of JWE and automation of several well-known attacks against applications that consume JWT.

Apache License 2.0

12 stars 11 forks source link

Add ability to sign JWS' during intruder attack #21

Closed BafDyce closed 9 months ago

BafDyce commented 9 months ago

This PR adds another Intruder setting to select a configured signing key. If one is selected when processPayload is called, the JWS is signed with the key. If any error happens, we fall back to the current behavior of using the original signature.

Feel free to give feedback, or make adjustments to the code, as I have not coded in Java in years.

DolphFlynn commented 9 months ago

Thanks for your PR. I think adding signing to the payload processor is a great idea.

I'll have a look at your changes over the weekend.

DolphFlynn commented 9 months ago

Hi,

I've had an initial look at the PR and like what it's trying to do.

Please can you add com.blackberry.jwteditor.utils.Constants and I'll merge the PR.

Thank you again for the submission.

BafDyce commented 9 months ago

Sorry for forgetting the file. Pushed it now :) You're welcome and also thanks to you for creating this extension in the first place.