From 4f51bfaa2a6b7484b9aee9b523829553e7e7c786 Mon Sep 17 00:00:00 2001 From: d4d Date: Thu, 2 May 2024 13:44:56 +0100 Subject: [PATCH] ## [1.0.4] - 2024-05-02 ### Changed - Code refactoring Signed-off-by: d4d --- CHANGELOG.md | 6 ++++++ README.md | 2 +- build.gradle | 2 +- src/main/java/burp/SignSaboteurExtension.java | 6 ++++-- src/main/java/burp/scanner/ScannerHandler.java | 7 +++++-- src/test/java/RubySignedCookieTest.java | 17 +++++------------ src/test/resources/salts | 1 + 7 files changed, 23 insertions(+), 18 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8c704e3..9828630 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,11 @@ # Changelog +## [1.0.4] - 2024-05-02 + +### Changed + +- Code refactoring + ## [1.0.3] - 2024-04-25 ### Added diff --git a/README.md b/README.md index 4c2e850..a0866d1 100644 --- a/README.md +++ b/README.md @@ -14,7 +14,7 @@ found [here](https://github.com/blackberry/jwt-editor) and [here](https://github * Ensure that Java JDK 17 or newer is installed * From root of project, run the command `./gradlew jar` -* This should place the JAR file `sign-saboteur-1.0.3.jar` within the `build/libs` directory +* This should place the JAR file `sign-saboteur-1.0.4.jar` within the `build/libs` directory * This can be loaded into Burp by navigating to the `Extensions` tab, `Installed` sub-tab, clicking `Add` and loading the JAR file * This BApp is using the newer Montoya API, so it's best to use the latest version of Burp (try the earlier adopter diff --git a/build.gradle b/build.gradle index fd62d89..fb3d2f8 100644 --- a/build.gradle +++ b/build.gradle @@ -3,7 +3,7 @@ plugins { } group = 'one.d4d' -version = '1.0.3' +version = '1.0.4' description = 'sign-saboteur' repositories { diff --git a/src/main/java/burp/SignSaboteurExtension.java b/src/main/java/burp/SignSaboteurExtension.java index 9913eac..2a9cdf2 100644 --- a/src/main/java/burp/SignSaboteurExtension.java +++ b/src/main/java/burp/SignSaboteurExtension.java @@ -96,7 +96,9 @@ public void initialize(MontoyaApi api) { proxyWebSocketCreation.proxyWebSocket().registerProxyMessageHandler(proxyWsMessageHandler) ); - ScannerHandler scannerHandler = new ScannerHandler(presenters, signerConfig); - scanner.registerScanCheck(scannerHandler); + if (isProVersion) { + ScannerHandler scannerHandler = new ScannerHandler(presenters, signerConfig); + scanner.registerScanCheck(scannerHandler); + } } } diff --git a/src/main/java/burp/scanner/ScannerHandler.java b/src/main/java/burp/scanner/ScannerHandler.java index 4234e48..020f3b5 100644 --- a/src/main/java/burp/scanner/ScannerHandler.java +++ b/src/main/java/burp/scanner/ScannerHandler.java @@ -23,6 +23,9 @@ import java.util.*; +import static burp.api.montoya.scanner.ConsolidationAction.KEEP_BOTH; +import static burp.api.montoya.scanner.ConsolidationAction.KEEP_EXISTING; + public class ScannerHandler implements ScanCheck { private final ScannerPresenter presenter; private final SignerConfig signerConfig; @@ -45,8 +48,8 @@ public AuditResult passiveAudit(HttpRequestResponse httpRequestResponse) { } @Override - public ConsolidationAction consolidateIssues(AuditIssue auditIssue, AuditIssue auditIssue1) { - return null; + public ConsolidationAction consolidateIssues(AuditIssue newIssue, AuditIssue existingIssue) { + return existingIssue.detail().equals(newIssue.detail()) ? KEEP_EXISTING : KEEP_BOTH; } private List getRequestAuditIssues(HttpRequestResponse requestResponse) { diff --git a/src/test/java/RubySignedCookieTest.java b/src/test/java/RubySignedCookieTest.java index 90b7cca..172a85e 100644 --- a/src/test/java/RubySignedCookieTest.java +++ b/src/test/java/RubySignedCookieTest.java @@ -1,21 +1,14 @@ -import burp.api.montoya.core.ByteArray; -import one.d4d.signsaboteur.itsdangerous.Algorithms; import one.d4d.signsaboteur.itsdangerous.Attack; import one.d4d.signsaboteur.itsdangerous.BruteForce; -import one.d4d.signsaboteur.itsdangerous.model.MutableSignedToken; import one.d4d.signsaboteur.itsdangerous.model.RubySignedToken; -import one.d4d.signsaboteur.itsdangerous.model.SignedToken; -import one.d4d.signsaboteur.itsdangerous.model.SignedTokenObjectFinder; import one.d4d.signsaboteur.keys.SecretKey; -import one.d4d.signsaboteur.utils.Utils; -import org.apache.commons.lang3.StringUtils; import org.junit.jupiter.api.Assertions; import org.junit.jupiter.api.Test; -import javax.crypto.SecretKeyFactory; -import javax.crypto.spec.PBEKeySpec; -import java.security.spec.KeySpec; -import java.util.*; +import java.util.ArrayList; +import java.util.HashSet; +import java.util.List; +import java.util.Set; public class RubySignedCookieTest { @@ -92,7 +85,7 @@ void UnknownSignedDefaultRubySessionCookie32() { } @Test - void ActiveStorageBlodTest() { + void ActiveStorageBlobTest() { String secret = "645deb7dc7a12794104f5dbc61ae22037cd9b1def6a8ea4becb3761349a32d483717d56b91bd7e95a9190f4cab6ffa5f118baacf08ac3e1bc4a7a2c186011653"; String salt = "ActiveStorage"; String message = "eyJfcmFpbHMiOnsiZGF0YSI6eyJrZXkiOiJ2bnhzNmZsb2tpMWxhNjVkeTl3ODkwc2tzMHFhIiwiZGlzcG9zaXRpb24iOiJhdHRhY2htZW50OyBmaWxlbmFtZT1cInNlY3JldC50eHRcIjsgZmlsZW5hbWUqPVVURi04JydzZWNyZXQudHh0IiwiY29udGVudF90eXBlIjoidGV4dC9wbGFpbiIsInNlcnZpY2VfbmFtZSI6ImxvY2FsIn0sImV4cCI6IjIwMjQtMDQtMjRUMTY6MjQ6MzUuMjMzWiIsInB1ciI6ImJsb2Jfa2V5In19"; diff --git a/src/test/resources/salts b/src/test/resources/salts index e64bfd8..e45bb3a 100644 --- a/src/test/resources/salts +++ b/src/test/resources/salts @@ -13,4 +13,5 @@ "signed cookie" "encrypted cookie" "signed encrypted cookie" +"authenticated encrypted cookie" "a4fb52b0ccb302eaef92bda18fedf5c3" \ No newline at end of file