[BUG] ArrayIndexOutOfBoundsException in IntruderConfigModel.signingAlgorithm method

[anishkumarroy]

Current Behavior I encountered an ArrayIndexOutOfBoundsException in the IntruderConfigModel.signingAlgorithm method while using the JWT Editor extension in Burp Suite. The error occurs because the signingAlgorithms() method returns an empty array, leading to an exception when accessing signingAlgorithms()[0].

Error message in JWT-editor (in the error tab in Extension tab of burpsuite)

java.lang.ArrayIndexOutOfBoundsException: Index 0 out of bounds for length 0
    at com.blackberry.jwteditor.view.config.IntruderConfigModel.signingAlgorithm(IntruderConfigModel.java:109)
    at com.blackberry.jwteditor.view.config.IntruderConfigView.<init>(IntruderConfigView.java:58)
    at com.blackberry.jwteditor.view.config.ConfigView.createUIComponents(ConfigView.java:48)
    at com.blackberry.jwteditor.view.config.ConfigView.$$$setupUI$$$(ConfigView.java)
    at com.blackberry.jwteditor.view.config.ConfigView.<init>(ConfigView.java:44)
    at com.blackberry.jwteditor.view.SuiteView.createUIComponents(SuiteView.java:97)
    at com.blackberry.jwteditor.view.SuiteView.$$$setupUI$$$(SuiteView.java)
    at com.blackberry.jwteditor.view.SuiteView.<init>(SuiteView.java:68)
    at burp.JWTEditorExtension.initialize(JWTEditorExtension.java:57)
    at burp.Zjp0.ZF(Unknown Source)
    at burp.Z_vl.ZB(Unknown Source)
    at burp.Z_vb.lambda$initialiseOnNewThread$0(Unknown Source)
    at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:572)
    at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317)
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
    at java.base/java.lang.Thread.run(Thread.java:1570)

• Change code b/w line 106-110 in the file - src/main/java/com/blackberry/jwteditor/view/config/IntruderConfigModel.java

  Proposed fix

  JWSAlgorithm signingAlgorithm() {
  JWSAlgorithm signingAlgorithm = intruderConfig.signingAlgorithm();
  
  JWSAlgorithm[] algorithms = signingAlgorithms();
  return signingAlgorithm == null && hasSigningKeys() && algorithms.length > 0 ? algorithms[0] : signingAlgorithm;
  }

  Environment -Burp Suite version: 2024.5 -Java version: OpenJDK 22 -Operating System: Kali Linux

[DolphFlynn]

Hi @anishkumarroy,

Thanks for the bug report.

The intent here is to select the first algorithm of the specified (or first) signing key. You have signing keys so something has gone wrong.

Would you mind sharing your keys data (scramble or replace anything sensitive)?