## [1.0.5] - 2024-05-22

### Changed

- Passive scan is disabled by default now

Signed-off-by: d4d <[email protected]>

CHANGELOG.md

@@ -1,5 +1,11 @@
 # Changelog
 
+## [1.0.5] - 2024-05-22
+
+### Changed
+
+- Passive scan is disabled by default now
+
 ## [1.0.4] - 2024-05-02
 
 ### Changed

README.md

@@ -17,7 +17,7 @@ found [here](https://github.com/blackberry/jwt-editor) and [here](https://github
 
 * Ensure that Java JDK 17 or newer is installed
 * From root of project, run the command `./gradlew jar`
-* This should place the JAR file `sign-saboteur-1.0.4.jar` within the `build/libs` directory
+* This should place the JAR file `sign-saboteur-1.0.5.jar` within the `build/libs` directory
 * This can be loaded into Burp by navigating to the `Extensions` tab, `Installed` sub-tab, clicking `Add` and loading
   the JAR file
 * This BApp is using the newer Montoya API, so it's best to use the latest version of Burp (try the earlier adopter

build.gradle

@@ -3,7 +3,7 @@ plugins {
 }
 
 group = 'one.d4d'
-version = '1.0.4'
+version = '1.0.5'
 description = 'sign-saboteur'
 
 repositories {

src/main/java/burp/SignSaboteurExtension.java

@@ -96,7 +96,7 @@ public void initialize(MontoyaApi api) {
                 proxyWebSocketCreation.proxyWebSocket().registerProxyMessageHandler(proxyWsMessageHandler)
         );
 
-        if (isProVersion) {
+        if (isProVersion && proxyConfig.enablePassiveScan()) {
             ScannerHandler scannerHandler = new ScannerHandler(presenters, signerConfig);
             scanner.registerScanCheck(scannerHandler);
         }

src/main/java/burp/config/ProxyConfig.java

@@ -14,13 +14,24 @@ public class ProxyConfig {
     @Expose
     private boolean highlightToken;
     @Expose
+    private boolean enablePassiveScan;
+    @Expose
     private HighlightColor highlightColor;
 
     public ProxyConfig() {
         this.highlightToken = true;
+        this.enablePassiveScan = false;
         this.highlightColor = DEFAULT_HIGHLIGHT_COLOR;
     }
 
+    public boolean enablePassiveScan() {
+        return enablePassiveScan;
+    }
+
+    public void disablePassiveScan(boolean enablePassiveScan) {
+        this.enablePassiveScan = enablePassiveScan;
+    }
+
     public boolean highlightToken() {
         return highlightToken;
     }

src/main/java/one/d4d/signsaboteur/forms/SettingsView.form

@@ -3,12 +3,12 @@
   <grid id="27dc6" binding="mainPanel" layout-manager="GridLayoutManager" row-count="2" column-count="1" same-size-horizontally="false" same-size-vertically="false" hgap="-1" vgap="-1">
     <margin top="10" left="10" bottom="10" right="10"/>
     <constraints>
-      <xy x="20" y="20" width="577" height="442"/>
+      <xy x="20" y="20" width="577" height="554"/>
     </constraints>
     <properties/>
     <border type="none"/>
     <children>
-      <grid id="b35d6" binding="proxyPanel" layout-manager="GridLayoutManager" row-count="4" column-count="1" same-size-horizontally="false" same-size-vertically="false" hgap="-1" vgap="-1">
+      <grid id="b35d6" binding="proxyPanel" layout-manager="GridLayoutManager" row-count="4" column-count="2" same-size-horizontally="false" same-size-vertically="false" hgap="-1" vgap="-1">
         <margin top="10" left="5" bottom="15" right="5"/>
         <constraints>
           <grid row="0" column="0" row-span="1" col-span="1" vsize-policy="3" hsize-policy="3" anchor="1" fill="1" indent="0" use-parent-layout="false"/>
@@ -18,16 +18,16 @@
         <children>
           <component id="43656" class="javax.swing.JLabel" binding="proxyLabel">
             <constraints>
-              <grid row="0" column="0" row-span="1" col-span="1" vsize-policy="0" hsize-policy="0" anchor="8" fill="0" indent="0" use-parent-layout="false"/>
+              <grid row="0" column="0" row-span="1" col-span="2" vsize-policy="0" hsize-policy="0" anchor="8" fill="0" indent="0" use-parent-layout="false"/>
             </constraints>
             <properties>
               <text resource-bundle="strings" key="proxy_label"/>
             </properties>
           </component>
-          <grid id="dc98c" layout-manager="GridLayoutManager" row-count="2" column-count="2" same-size-horizontally="false" same-size-vertically="false" hgap="-1" vgap="-1">
+          <grid id="dc98c" layout-manager="GridLayoutManager" row-count="3" column-count="2" same-size-horizontally="false" same-size-vertically="false" hgap="-1" vgap="-1">
             <margin top="0" left="0" bottom="0" right="0"/>
             <constraints>
-              <grid row="1" column="0" row-span="1" col-span="1" vsize-policy="3" hsize-policy="3" anchor="9" fill="0" indent="0" use-parent-layout="false"/>
+              <grid row="1" column="0" row-span="1" col-span="2" vsize-policy="3" hsize-policy="3" anchor="9" fill="0" indent="0" use-parent-layout="false"/>
             </constraints>
             <properties/>
             <border type="empty"/>
@@ -63,17 +63,33 @@
                 </constraints>
                 <properties/>
               </component>
+              <component id="6305c" class="javax.swing.JCheckBox" binding="checkBoxPassiveScan">
+                <constraints>
+                  <grid row="2" column="0" row-span="1" col-span="1" vsize-policy="0" hsize-policy="3" anchor="0" fill="0" indent="0" use-parent-layout="false"/>
+                </constraints>
+                <properties>
+                  <text value=""/>
+                </properties>
+              </component>
+              <component id="c5c0c" class="javax.swing.JLabel">
+                <constraints>
+                  <grid row="2" column="1" row-span="1" col-span="1" vsize-policy="0" hsize-policy="0" anchor="8" fill="0" indent="0" use-parent-layout="false"/>
+                </constraints>
+                <properties>
+                  <text resource-bundle="strings" key="proxy_settings_enable_passwive_scan"/>
+                </properties>
+              </component>
             </children>
           </grid>
           <component id="a5abc" class="javax.swing.JSeparator">
             <constraints>
-              <grid row="2" column="0" row-span="1" col-span="1" vsize-policy="6" hsize-policy="6" anchor="0" fill="3" indent="0" use-parent-layout="false"/>
+              <grid row="2" column="0" row-span="1" col-span="2" vsize-policy="6" hsize-policy="6" anchor="0" fill="3" indent="0" use-parent-layout="false"/>
             </constraints>
             <properties/>
           </component>
           <vspacer id="be5a">
             <constraints>
-              <grid row="3" column="0" row-span="1" col-span="1" vsize-policy="6" hsize-policy="1" anchor="0" fill="2" indent="0" use-parent-layout="false"/>
+              <grid row="3" column="0" row-span="1" col-span="2" vsize-policy="6" hsize-policy="1" anchor="0" fill="2" indent="0" use-parent-layout="false"/>
             </constraints>
           </vspacer>
         </children>

src/main/java/one/d4d/signsaboteur/forms/SettingsView.java

@@ -31,6 +31,7 @@ public class SettingsView {
     private JCheckBox checkBoxEnableRubySignedString;
     private JCheckBox checkBoxEnableJWT;
     private JCheckBox checkBoxNIMBUSDS;
+    private JCheckBox checkBoxPassiveScan;
 
     public SettingsView(Window parent, BurpConfig burpConfig, UserInterface userInterface) {
         this.parent = parent;
@@ -42,6 +43,10 @@ public SettingsView(Window parent, BurpConfig burpConfig, UserInterface userInte
             comboBoxHighlightColor.setEnabled(checkBoxHighlightToken.isSelected());
             proxyConfig.setHighlightToken(checkBoxHighlightToken.isSelected());
         });
+        checkBoxPassiveScan.setSelected(proxyConfig.enablePassiveScan());
+        checkBoxPassiveScan.addActionListener(e -> {
+            proxyConfig.disablePassiveScan(checkBoxPassiveScan.isSelected());
+        });
 
         comboBoxHighlightColor.setModel(new DefaultComboBoxModel<>(HighlightColor.values()));
         comboBoxHighlightColor.setSelectedItem(proxyConfig.highlightColor());

src/main/java/one/d4d/signsaboteur/itsdangerous/model/SignedTokenObjectFinder.java

@@ -507,8 +507,8 @@ public static Optional<SignedToken> parseUnknownSignedString(String text) {
         if (separator == 0) return Optional.empty();
         int index = text.lastIndexOf(separator);
         String message = text.substring(0, index);
-        boolean isUrlencoded = message.indexOf('%') > -1;
         if (message.isEmpty()) return Optional.empty();
+        boolean isUrlencoded = message.indexOf('%') > -1;
         String signature = text.substring(index + 1);
         try {
             byte[] sign = Utils.normalization(signature.getBytes());

src/main/resources/salts

@@ -13,4 +13,5 @@
 "signed cookie"
 "encrypted cookie"
 "signed encrypted cookie"
-"ActiveStorage"
+"ActiveStorage"
+"authenticated encrypted cookie"

src/main/resources/secrets

@@ -7,6 +7,9 @@
 "<any secure random string>"
 "GENERATE_NEW_SECURE_RANDOM_KEY"
 "your signing key here"
+"your_secret_key_here"
+"secret-key-goes-here"
+"s3Cur3"
 "old keys here (for key rotation)"
 "__TODO:_GENERATE_YOUR_OWN_RANDOM_VALUE_HERE__"
 "61oETzKXQAGaYdkL5gEmGeJJFuYh7EQnp2X6TP1o/Vo="

src/main/resources/strings.properties

@@ -115,3 +115,4 @@ NIMBUSDS_label=NIMBUSDS
 button_load_defaults=Load defaults
 tooltip_NIMBUSDS=Use Nimbusds library to parse Json Web tokens
 urlencoded_checkbox=URL Encode
+proxy_settings_enable_passwive_scan=Enable Passive scan