## [1.0.2] - 2024-04-04

### Changed

- Code refactoring

Signed-off-by: d4d <btlfry@gmail.com>

CHANGELOG.md

@@ -1,5 +1,19 @@
 # Changelog
 
+## [1.0.2] - 2024-04-04
+
+### Changed
+
+- Code refactoring
+
+## [1.0.1] - 2024-04-03
+
+### Changed
+
+- Default Secret Keys now available at Wordlist View
+- The com.nimbusds.jwt SignedJWT parser added to the finder logic. _Note_ RSA and ECDSA not supported by the extension yet
+
+
 ## [1.0.0] - 2024-03-27
 
 ### Changed

LICENSE.md

@@ -220,6 +220,6 @@ Copyright 2012-2023, Fraser Winterborn and Dolph Flynn
 Licensed under Apache-2.0 as above
 
 A class from: https://github.com/librespot-org/librespot-java
-Included in one/d4d/sessionless/utils/Base62.java
+Included in one/d4d/signsaboteur/utils/Base62.java
 Copyright 2018-2021, devgianlu
 Licensed under Apache-2.0 as above

README.md

@@ -1,7 +1,7 @@
 # SignSaboteur
 
 SignSaboteur is a Burp Suite extension for editing, signing, verifying, and attacking signed tokens. 
-It supports different types of tokens: [Django TimestampSigner](https://docs.djangoproject.com/en/5.0/topics/signing/#verifying-timestamped-values), [ItsDangerous Signer](https://itsdangerous.palletsprojects.com/en/2.1.x/signer/), [Express cookie-session middleware](https://expressjs.com/en/resources/middleware/cookie-session.html), [OAuth2 Proxy](https://github.com/oauth2-proxy/oauth2-proxy), [Tornado’s signed cookies](https://www.tornadoweb.org/en/stable/guide/security.html), [Ruby Rails Signed cookies](https://api.rubyonrails.org/classes/ActiveSupport/MessageVerifier.html)
+It supports different types of tokens: [Django TimestampSigner](https://docs.djangoproject.com/en/5.0/topics/signing/#verifying-timestamped-values), [ItsDangerous Signer](https://itsdangerous.palletsprojects.com/en/2.1.x/signer/), [Express cookie-session middleware](https://expressjs.com/en/resources/middleware/cookie-session.html), [OAuth2 Proxy](https://github.com/oauth2-proxy/oauth2-proxy), [Tornado’s signed cookies](https://www.tornadoweb.org/en/stable/guide/security.html), [Ruby Rails Signed cookies](https://api.rubyonrails.org/classes/ActiveSupport/MessageVerifier.html), [Nimbus JOSE + JWT](https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/)
 and Unknown signed string.
 
 It provides automatic detection and in-line editing of token within HTTP requests/responses and WebSocket messages,
@@ -14,10 +14,10 @@ found [here](https://github.com/blackberry/jwt-editor) and [here](https://github
 
 * Ensure that Java JDK 17 or newer is installed
 * From root of project, run the command `./gradlew jar`
-* This should place the JAR file `sign-saboteur-1.0.0.jar` within the `build/libs` directory
+* This should place the JAR file `sign-saboteur-1.0.2.jar` within the `build/libs` directory
 * This can be loaded into Burp by navigating to the `Extensions` tab, `Installed` sub-tab, clicking `Add` and loading
   the JAR file
-* This BApp is using the newer Montoya API so it's best to use the latest version of Burp (try the earlier adopter
+* This BApp is using the newer Montoya API, so it's best to use the latest version of Burp (try the earlier adopter
   channel if there are issues with the latest stable release)
 
 ## Wordlist View

build.gradle

@@ -3,7 +3,7 @@ plugins {
 }
 
 group = 'one.d4d'
-version = '1.0.0'
+version = '1.0.2'
 description = 'sign-saboteur'
 
 repositories {

src/main/java/burp/SessionlessExtension.java → src/main/java/burp/SignSaboteurExtension.java

@@ -11,19 +11,19 @@
 import burp.proxy.ProxyHttpMessageHandler;
 import burp.proxy.ProxyWsMessageHandler;
 import burp.scanner.ScannerHandler;
-import one.d4d.sessionless.forms.ExtensionTab;
-import one.d4d.sessionless.forms.RequestEditorView;
-import one.d4d.sessionless.forms.ResponseEditorView;
-import one.d4d.sessionless.presenter.PresenterStore;
-import one.d4d.sessionless.rsta.RstaFactory;
-import one.d4d.sessionless.utils.Utils;
+import one.d4d.signsaboteur.forms.ExtensionTab;
+import one.d4d.signsaboteur.forms.RequestEditorView;
+import one.d4d.signsaboteur.forms.ResponseEditorView;
+import one.d4d.signsaboteur.presenter.PresenterStore;
+import one.d4d.signsaboteur.rsta.RstaFactory;
+import one.d4d.signsaboteur.utils.Utils;
 
 import java.awt.*;
 
 import static burp.api.montoya.core.BurpSuiteEdition.PROFESSIONAL;
 import static burp.api.montoya.ui.editor.extension.EditorMode.READ_ONLY;
 
-public class SessionlessExtension implements BurpExtension {
+public class SignSaboteurExtension implements BurpExtension {
 
     @Override
     public void initialize(MontoyaApi api) {

src/main/java/burp/config/BurpConfigPersistence.java

@@ -5,7 +5,7 @@
 import com.google.gson.GsonBuilder;
 
 public class BurpConfigPersistence {
-    static final String BURP_SETTINGS_NAME = "one.d4d.sessionless.settings";
+    static final String BURP_SETTINGS_NAME = "one.d4d.signsaboteur.settings";
     private final Preferences preferences;
 
     public BurpConfigPersistence(Preferences preferences) {

src/main/java/burp/config/BurpKeysModelPersistence.java

@@ -2,14 +2,16 @@
 
 import burp.api.montoya.persistence.Preferences;
 import com.google.gson.Gson;
-import one.d4d.sessionless.utils.GsonHelper;
-import one.d4d.sessionless.utils.Utils;
+import one.d4d.signsaboteur.keys.SecretKey;
+import one.d4d.signsaboteur.utils.GsonHelper;
+import one.d4d.signsaboteur.utils.Utils;
 
 import java.io.File;
+import java.util.List;
 import java.util.Set;
 
 public class BurpKeysModelPersistence {
-    static final String BURP_SETTINGS_NAME = "one.d4d.sessionless.keys";
+    static final String BURP_SETTINGS_NAME = "one.d4d.signsaboteur.keys";
     private final Preferences preferences;
 
     public BurpKeysModelPersistence(Preferences preferences) {
@@ -23,6 +25,7 @@ public KeysModel loadOrCreateNew() {
             KeysModel model = new KeysModel();
             model.setSalts(loadDefaultSalts());
             model.setSecrets(loadDefaultSecrets());
+            loadDefaultKeys().forEach(model::addKey);
             return model;
         }
 
@@ -62,5 +65,8 @@ private Set<String> loadDefaultSecrets() {
     private Set<String> loadDefaultSalts() {
         return Utils.readResourceForClass("/salts", this.getClass());
     }
+    private List<SecretKey> loadDefaultKeys() {
+        return Utils.readDefaultSecretKeys("/keys", this.getClass());
+    }
 
 }

src/main/java/burp/config/KeysModel.java

@@ -1,7 +1,7 @@
 package burp.config;
 
 import com.google.gson.annotations.Expose;
-import one.d4d.sessionless.keys.SecretKey;
+import one.d4d.signsaboteur.keys.SecretKey;
 
 import java.util.*;
 import java.util.stream.IntStream;

src/main/java/burp/config/KeysModelListener.java

@@ -1,6 +1,6 @@
 package burp.config;
 
-import one.d4d.sessionless.keys.SecretKey;
+import one.d4d.signsaboteur.keys.SecretKey;
 
 public interface KeysModelListener {
     void notifyKeyInserted(SecretKey key);

src/main/java/burp/config/ProxyConfig.java

@@ -2,7 +2,7 @@
 
 import burp.proxy.HighlightColor;
 import com.google.gson.annotations.Expose;
-import one.d4d.sessionless.utils.Utils;
+import one.d4d.signsaboteur.utils.Utils;
 
 import static burp.proxy.HighlightColor.GREEN;
 

src/main/java/burp/config/SignerConfig.java

@@ -1,7 +1,7 @@
 package burp.config;
 
 import com.google.gson.annotations.Expose;
-import one.d4d.sessionless.itsdangerous.crypto.Signers;
+import one.d4d.signsaboteur.itsdangerous.crypto.Signers;
 
 import java.util.EnumSet;
 import java.util.Set;
@@ -12,7 +12,7 @@ public class SignerConfig {
     private Set<Signers> enabled;
 
     public SignerConfig() {
-        EnumSet<Signers> disabled = EnumSet.of(Signers.OAUTH, Signers.UNKNOWN);
+        EnumSet<Signers> disabled = EnumSet.of(Signers.OAUTH, Signers.NIMBUSDS, Signers.UNKNOWN);
         this.enabled = EnumSet.complementOf(disabled);
     }
 

src/main/java/burp/proxy/AnnotationsModifier.java

@@ -7,7 +7,7 @@
 import burp.api.montoya.utilities.ByteUtils;
 import burp.config.ProxyConfig;
 import burp.config.SignerConfig;
-import one.d4d.sessionless.itsdangerous.model.SignedTokenObjectFinder;
+import one.d4d.signsaboteur.itsdangerous.model.SignedTokenObjectFinder;
 
 import java.util.List;
 

src/main/java/burp/scanner/BrokenSecretKeyIssue.java

@@ -7,9 +7,8 @@
 import burp.api.montoya.scanner.audit.issues.AuditIssueConfidence;
 import burp.api.montoya.scanner.audit.issues.AuditIssueDefinition;
 import burp.api.montoya.scanner.audit.issues.AuditIssueSeverity;
-import one.d4d.sessionless.itsdangerous.model.SignedToken;
-import one.d4d.sessionless.keys.SecretKey;
-import one.d4d.sessionless.utils.Utils;
+import one.d4d.signsaboteur.keys.SecretKey;
+import one.d4d.signsaboteur.utils.Utils;
 
 import java.util.Collections;
 import java.util.List;

src/main/java/burp/scanner/ScannerHandler.java

@@ -13,13 +13,13 @@
 import burp.api.montoya.scanner.audit.issues.AuditIssueConfidence;
 import burp.api.montoya.scanner.audit.issues.AuditIssueSeverity;
 import burp.config.SignerConfig;
-import one.d4d.sessionless.itsdangerous.Attack;
-import one.d4d.sessionless.itsdangerous.BruteForce;
-import one.d4d.sessionless.itsdangerous.model.MutableSignedToken;
-import one.d4d.sessionless.itsdangerous.model.SignedTokenObjectFinder;
-import one.d4d.sessionless.keys.SecretKey;
-import one.d4d.sessionless.presenter.PresenterStore;
-import one.d4d.sessionless.utils.Utils;
+import one.d4d.signsaboteur.itsdangerous.Attack;
+import one.d4d.signsaboteur.itsdangerous.BruteForce;
+import one.d4d.signsaboteur.itsdangerous.model.MutableSignedToken;
+import one.d4d.signsaboteur.itsdangerous.model.SignedTokenObjectFinder;
+import one.d4d.signsaboteur.keys.SecretKey;
+import one.d4d.signsaboteur.presenter.PresenterStore;
+import one.d4d.signsaboteur.utils.Utils;
 
 import java.util.*;
 

src/main/java/burp/scanner/ScannerPresenter.java

@@ -1,9 +1,9 @@
 package burp.scanner;
 
-import one.d4d.sessionless.keys.SecretKey;
-import one.d4d.sessionless.presenter.KeyPresenter;
-import one.d4d.sessionless.presenter.Presenter;
-import one.d4d.sessionless.presenter.PresenterStore;
+import one.d4d.signsaboteur.keys.SecretKey;
+import one.d4d.signsaboteur.presenter.KeyPresenter;
+import one.d4d.signsaboteur.presenter.Presenter;
+import one.d4d.signsaboteur.presenter.PresenterStore;
 
 import java.util.List;
 import java.util.Set;

src/main/java/one/d4d/sessionless/PercentageBasedColumnWidthTable.java → src/main/java/one/d4d/signsaboteur/PercentageBasedColumnWidthTable.java

@@ -1,4 +1,4 @@
-package one.d4d.sessionless;
+package one.d4d.signsaboteur;
 
 import javax.swing.*;
 import javax.swing.table.TableColumnModel;

src/main/java/one/d4d/sessionless/RowHeightDecoratingTableCellRenderer.java → src/main/java/one/d4d/signsaboteur/RowHeightDecoratingTableCellRenderer.java

@@ -1,4 +1,4 @@
-package one.d4d.sessionless;
+package one.d4d.signsaboteur;
 
 import javax.swing.*;
 import javax.swing.table.TableCellRenderer;

src/main/java/one/d4d/sessionless/forms/AlternateRowBackgroundDecoratingTableCellRenderer.java → src/main/java/one/d4d/signsaboteur/forms/AlternateRowBackgroundDecoratingTableCellRenderer.java

@@ -1,4 +1,4 @@
-package one.d4d.sessionless.forms;
+package one.d4d.signsaboteur.forms;
 
 import javax.swing.*;
 import javax.swing.table.TableCellRenderer;

src/main/java/one/d4d/sessionless/forms/EditorTab.form → src/main/java/one/d4d/signsaboteur/forms/EditorTab.form

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<form xmlns="http://www.intellij.com/uidesigner/form/" version="1" bind-to-class="one.d4d.sessionless.forms.EditorTab">
+<form xmlns="http://www.intellij.com/uidesigner/form/" version="1" bind-to-class="one.d4d.signsaboteur.forms.EditorTab">
   <grid id="27dc6" binding="mainPanel" layout-manager="GridLayoutManager" row-count="1" column-count="1" same-size-horizontally="false" same-size-vertically="false" hgap="-1" vgap="-1">
     <margin top="5" left="5" bottom="5" right="5"/>
     <constraints>

src/main/java/one/d4d/sessionless/forms/EditorTab.java → src/main/java/one/d4d/signsaboteur/forms/EditorTab.java

@@ -1,17 +1,17 @@
-package one.d4d.sessionless.forms;
+package one.d4d.signsaboteur.forms;
 
 import burp.api.montoya.collaborator.CollaboratorPayloadGenerator;
 import burp.api.montoya.ui.Selection;
 import burp.api.montoya.ui.editor.extension.ExtensionProvidedEditor;
 import burp.config.SignerConfig;
-import one.d4d.sessionless.forms.utils.FormUtils;
-import one.d4d.sessionless.hexcodearea.HexCodeAreaFactory;
-import one.d4d.sessionless.presenter.EditorPresenter;
-import one.d4d.sessionless.presenter.PresenterStore;
-import one.d4d.sessionless.rsta.RstaFactory;
-import one.d4d.sessionless.utils.ErrorLoggingActionListenerFactory;
-import one.d4d.sessionless.utils.MaxLengthStringComboBoxModel;
-import one.d4d.sessionless.utils.Utils;
+import one.d4d.signsaboteur.forms.utils.FormUtils;
+import one.d4d.signsaboteur.hexcodearea.HexCodeAreaFactory;
+import one.d4d.signsaboteur.presenter.EditorPresenter;
+import one.d4d.signsaboteur.presenter.PresenterStore;
+import one.d4d.signsaboteur.rsta.RstaFactory;
+import one.d4d.signsaboteur.utils.ErrorLoggingActionListenerFactory;
+import one.d4d.signsaboteur.utils.MaxLengthStringComboBoxModel;
+import one.d4d.signsaboteur.utils.Utils;
 import org.exbin.deltahex.EditationAllowed;
 import org.exbin.deltahex.swing.CodeArea;
 import org.exbin.utils.binary_data.ByteArrayEditableData;

src/main/java/one/d4d/sessionless/forms/ExtensionTab.form → src/main/java/one/d4d/signsaboteur/forms/ExtensionTab.form

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<form xmlns="http://www.intellij.com/uidesigner/form/" version="1" bind-to-class="one.d4d.sessionless.forms.ExtensionTab">
+<form xmlns="http://www.intellij.com/uidesigner/form/" version="1" bind-to-class="one.d4d.signsaboteur.forms.ExtensionTab">
   <grid id="27dc6" binding="rootPanel" layout-manager="GridLayoutManager" row-count="1" column-count="1" same-size-horizontally="false" same-size-vertically="false" hgap="-1" vgap="-1">
     <margin top="0" left="0" bottom="0" right="0"/>
     <constraints>
@@ -25,7 +25,7 @@
             <properties/>
             <border type="none"/>
             <children>
-              <nested-form id="e8dce" form-file="one/d4d/sessionless/forms/WordlistView.form" binding="wordlistView" custom-create="true">
+              <nested-form id="e8dce" form-file="one/d4d/signsaboteur/forms/WordlistView.form" binding="wordlistView" custom-create="true">
                 <constraints>
                   <grid row="0" column="0" row-span="1" col-span="1" vsize-policy="0" hsize-policy="0" anchor="1" fill="1" indent="0" use-parent-layout="false"/>
                 </constraints>
@@ -40,7 +40,7 @@
             <properties/>
             <border type="none"/>
             <children>
-              <nested-form id="caec" form-file="one/d4d/sessionless/forms/SettingsView.form" binding="settingsView" custom-create="true">
+              <nested-form id="caec" form-file="one/d4d/signsaboteur/forms/SettingsView.form" binding="settingsView" custom-create="true">
                 <constraints>
                   <grid row="0" column="0" row-span="1" col-span="1" vsize-policy="0" hsize-policy="0" anchor="1" fill="1" indent="0" use-parent-layout="false"/>
                 </constraints>

src/main/java/one/d4d/sessionless/forms/ExtensionTab.java → src/main/java/one/d4d/signsaboteur/forms/ExtensionTab.java

@@ -1,11 +1,11 @@
-package one.d4d.sessionless.forms;
+package one.d4d.signsaboteur.forms;
 
 import burp.api.montoya.ui.UserInterface;
 import burp.config.BurpConfig;
 import burp.config.BurpKeysModelPersistence;
 import burp.config.KeysModel;
-import one.d4d.sessionless.presenter.PresenterStore;
-import one.d4d.sessionless.utils.Utils;
+import one.d4d.signsaboteur.presenter.PresenterStore;
+import one.d4d.signsaboteur.utils.Utils;
 
 import javax.swing.*;
 import java.awt.*;

src/main/java/one/d4d/sessionless/forms/KeysTableColumns.java → src/main/java/one/d4d/signsaboteur/forms/KeysTableColumns.java

@@ -1,6 +1,6 @@
-package one.d4d.sessionless.forms;
+package one.d4d.signsaboteur.forms;
 
-import one.d4d.sessionless.utils.Utils;
+import one.d4d.signsaboteur.utils.Utils;
 
 import static java.util.Arrays.stream;
 

src/main/java/one/d4d/sessionless/forms/KeysTableModel.java → src/main/java/one/d4d/signsaboteur/forms/KeysTableModel.java

@@ -1,6 +1,6 @@
-package one.d4d.sessionless.forms;
+package one.d4d.signsaboteur.forms;
 
-import one.d4d.sessionless.keys.SecretKey;
+import one.d4d.signsaboteur.keys.SecretKey;
 
 import javax.swing.table.AbstractTableModel;
 import java.util.ArrayList;

src/main/java/one/d4d/sessionless/forms/MessageDialogFactory.java → src/main/java/one/d4d/signsaboteur/forms/MessageDialogFactory.java

@@ -1,6 +1,6 @@
-package one.d4d.sessionless.forms;
+package one.d4d.signsaboteur.forms;
 
-import one.d4d.sessionless.utils.Utils;
+import one.d4d.signsaboteur.utils.Utils;
 
 import javax.swing.*;
 import java.awt.*;

src/main/java/one/d4d/sessionless/forms/RequestEditorView.java → src/main/java/one/d4d/signsaboteur/forms/RequestEditorView.java

@@ -1,4 +1,4 @@
-package one.d4d.sessionless.forms;
+package one.d4d.signsaboteur.forms;
 
 import burp.api.montoya.collaborator.CollaboratorPayloadGenerator;
 import burp.api.montoya.core.ByteArray;
@@ -9,10 +9,10 @@
 import burp.api.montoya.ui.UserInterface;
 import burp.api.montoya.ui.editor.extension.ExtensionProvidedHttpRequestEditor;
 import burp.config.SignerConfig;
-import one.d4d.sessionless.hexcodearea.HexCodeAreaFactory;
-import one.d4d.sessionless.presenter.PresenterStore;
-import one.d4d.sessionless.rsta.RstaFactory;
-import one.d4d.sessionless.utils.ErrorLoggingActionListenerFactory;
+import one.d4d.signsaboteur.hexcodearea.HexCodeAreaFactory;
+import one.d4d.signsaboteur.presenter.PresenterStore;
+import one.d4d.signsaboteur.rsta.RstaFactory;
+import one.d4d.signsaboteur.utils.ErrorLoggingActionListenerFactory;
 
 import java.net.URL;