## [0.0.2] - 2024-01-05

### Added
- Unknown signed string tab.
- Enabled signers setting added to the main tab
- _Known keys_ brute force technic added to the Attack mode

### Changed
- Upgrade dependencies: org.json:json

CHANGELOG.md

@@ -0,0 +1,11 @@
+# Changelog
+
+## [0.0.2] - 2024-01-05
+
+### Added
+- Unknown signed string tab. 
+- Enabled signers setting added to the main tab
+- _Known keys_ brute force technic added to the Attack mode
+
+### Changed
+- Upgrade dependencies: org.json:json 

README.md

@@ -1,6 +1,6 @@
 # Sessionless
 
-Sessionless is a Burp Suite extension for editing, signing, verifying, attacking signed tokens: [Django TimestampSigner](https://docs.djangoproject.com/en/5.0/topics/signing/#verifying-timestamped-values), [ItsDangerous Signer](https://itsdangerous.palletsprojects.com/en/2.1.x/signer/), [Express cookie-session middleware](https://expressjs.com/en/resources/middleware/cookie-session.html), [OAuth2 Proxy](https://github.com/oauth2-proxy/oauth2-proxy) and [Tornado’s signed cookies](https://www.tornadoweb.org/en/stable/guide/security.html).
+Sessionless is a Burp Suite extension for editing, signing, verifying, attacking signed tokens: [Django TimestampSigner](https://docs.djangoproject.com/en/5.0/topics/signing/#verifying-timestamped-values), [ItsDangerous Signer](https://itsdangerous.palletsprojects.com/en/2.1.x/signer/), [Express cookie-session middleware](https://expressjs.com/en/resources/middleware/cookie-session.html), [OAuth2 Proxy](https://github.com/oauth2-proxy/oauth2-proxy), [Tornado’s signed cookies](https://www.tornadoweb.org/en/stable/guide/security.html) and Unknown signed string.
 
 It provides automatic detection and in-line editing of token within HTTP requests/responses and WebSocket messages, signing of tokens and automation of brute force attacks against signed tokens implementations.
 
@@ -25,6 +25,14 @@ The `Editor View` supports a number of signed tokens: Django, Dangerous, Flask,
 
 The Dangerous tab can be used for both, `Flask` and `Django` tokens, which are selected depending on whether a Dangerous or Django token is detected.
 
+The Unknown tab can be used to brute force unknown signed strings. Guessing mode works only with _Balanced_ brute force attack. It supports different message derivation technics, including:
+
+* _None_ message will be used as is
+* _CONCAT_ separator byte will be removed from the message and that new value will be used to calculate signature
+* _Tornado_ separator byte will be added to the end of the message string
+
+<img src="gitimg/unknown_tab.png" width="400"/>
+
 ### Editable Fields
 
 A JSON text editor is provided to edit each component that contain JSON content:
@@ -55,6 +63,7 @@ A hex editor is provided to all signed tokens, except Express signatures. __NOTE
 
 The `Brute force` option implements three types of attacks against signed tokens Signatures:
 
+* _Known keys_ will use previously found secret keys only
 * _Fast_ will use default hashing algorithm and key derivation
 * _Balanced_ will use all known key derivation technics, except PBKDF2HMAC
 * _Deep_ will use all key derivation technics, including PBKDF2HMAC

build.gradle

@@ -4,7 +4,7 @@ plugins {
 }
 
 group = 'one.d4d'
-version = '0.0.1'
+version = '0.0.2'
 description = 'token-signer'
 
 repositories {
@@ -37,7 +37,7 @@ dependencies {
             'com.nimbusds:nimbus-jose-jwt:9.21',
             'org.exbin.deltahex:deltahex-swing:0.1.2',
             'com.fifesoft:rsyntaxtextarea:3.3.3',
-            'org.json:json:20230227',
+            'org.json:json:20231013',
             'org.apache.commons:commons-lang3:3.12.0'
     )
     testImplementation(

src/main/java/burp/SessionlessExtension.java

@@ -6,11 +6,7 @@
 import burp.api.montoya.proxy.Proxy;
 import burp.api.montoya.ui.UserInterface;
 import burp.api.montoya.utilities.ByteUtils;
-import burp.config.BurpConfig;
-import burp.config.BurpConfigPersistence;
-import burp.config.BurpKeysModelPersistence;
-import burp.config.KeysModel;
-import burp.proxy.ProxyConfig;
+import burp.config.*;
 import burp.proxy.ProxyHttpMessageHandler;
 import burp.proxy.ProxyWsMessageHandler;
 import one.d4d.sessionless.forms.ExtensionTab;
@@ -43,6 +39,11 @@ public void initialize(MontoyaApi api) {
         UserInterface userInterface = api.userInterface();
         Window suiteWindow = userInterface.swingUtils().suiteFrame();
 
+        Proxy proxy = api.proxy();
+        ProxyConfig proxyConfig = burpConfig.proxyConfig();
+        SignerConfig signerConfig = burpConfig.signerConfig();
+        ByteUtils byteUtils = api.utilities().byteUtils();
+
         boolean isProVersion = api.burpSuite().version().edition() == PROFESSIONAL;
         RstaFactory rstaFactory = new RstaFactory(userInterface, api.logging());
 
@@ -64,6 +65,7 @@ public void initialize(MontoyaApi api) {
                         api.logging(),
                         api.userInterface(),
                         api.collaborator().defaultPayloadGenerator(),
+                        signerConfig,
                         editorCreationContext.editorMode() != READ_ONLY,
                         isProVersion
                 )
@@ -76,20 +78,17 @@ public void initialize(MontoyaApi api) {
                         api.logging(),
                         api.userInterface(),
                         api.collaborator().defaultPayloadGenerator(),
+                        signerConfig,
                         editorCreationContext.editorMode() != READ_ONLY,
                         isProVersion
                 )
         );
 
-        Proxy proxy = api.proxy();
-        ProxyConfig proxyConfig = burpConfig.proxyConfig();
-        ByteUtils byteUtils = api.utilities().byteUtils();
-
-        ProxyHttpMessageHandler proxyHttpMessageHandler = new ProxyHttpMessageHandler(proxyConfig, byteUtils);
+        ProxyHttpMessageHandler proxyHttpMessageHandler = new ProxyHttpMessageHandler(proxyConfig, signerConfig, byteUtils);
         proxy.registerRequestHandler(proxyHttpMessageHandler);
         proxy.registerResponseHandler(proxyHttpMessageHandler);
 
-        ProxyWsMessageHandler proxyWsMessageHandler = new ProxyWsMessageHandler(proxyConfig, byteUtils);
+        ProxyWsMessageHandler proxyWsMessageHandler = new ProxyWsMessageHandler(proxyConfig, signerConfig, byteUtils);
         proxy.registerWebSocketCreationHandler(proxyWebSocketCreation ->
                 proxyWebSocketCreation.proxyWebSocket().registerProxyMessageHandler(proxyWsMessageHandler)
         );

src/main/java/burp/config/BurpConfig.java

@@ -1,13 +1,16 @@
 package burp.config;
 
-import burp.proxy.ProxyConfig;
 import com.google.gson.annotations.Expose;
 
 public class BurpConfig {
     private final @Expose ProxyConfig proxyConfig = new ProxyConfig();
+    private final @Expose SignerConfig signerConfig = new SignerConfig();
 
     public ProxyConfig proxyConfig() {
         return proxyConfig;
     }
 
+    public SignerConfig signerConfig() {
+        return signerConfig;
+    }
 }

src/main/java/burp/proxy/ProxyConfig.java → src/main/java/burp/config/ProxyConfig.java

@@ -1,5 +1,6 @@
-package burp.proxy;
+package burp.config;
 
+import burp.proxy.HighlightColor;
 import com.google.gson.annotations.Expose;
 import one.d4d.sessionless.utils.Utils;
 

src/main/java/burp/config/SignerConfig.java

@@ -0,0 +1,64 @@
+package burp.config;
+
+import com.google.gson.annotations.Expose;
+
+public class SignerConfig {
+    @Expose
+    private boolean enableDangerous;
+    @Expose
+    private boolean enableExpress;
+    @Expose
+    private boolean enableOAuth;
+    @Expose
+    private boolean enableTornado;
+    @Expose
+    private boolean enableUnknown;
+
+    public SignerConfig() {
+        this.enableDangerous = true;
+        this.enableExpress = true;
+        this.enableOAuth = false;
+        this.enableTornado = true;
+        this.enableUnknown = false;
+    }
+
+    public boolean isEnableDangerous() {
+        return enableDangerous;
+    }
+
+    public void setEnableDangerous(boolean enableDangerous) {
+        this.enableDangerous = enableDangerous;
+    }
+
+    public boolean isEnableExpress() {
+        return enableExpress;
+    }
+
+    public void setEnableExpress(boolean enableExpress) {
+        this.enableExpress = enableExpress;
+    }
+
+    public boolean isEnableOAuth() {
+        return enableOAuth;
+    }
+
+    public void setEnableOAuth(boolean enableOAuth) {
+        this.enableOAuth = enableOAuth;
+    }
+
+    public boolean isEnableTornado() {
+        return enableTornado;
+    }
+
+    public void setEnableTornado(boolean enableTornado) {
+        this.enableTornado = enableTornado;
+    }
+
+    public boolean isEnableUnknown() {
+        return enableUnknown;
+    }
+
+    public void setEnableUnknown(boolean enableUnknown) {
+        this.enableUnknown = enableUnknown;
+    }
+}

src/main/java/burp/proxy/AnnotationsModifier.java

@@ -5,17 +5,21 @@
 import burp.api.montoya.http.message.Cookie;
 import burp.api.montoya.http.message.params.ParsedHttpParameter;
 import burp.api.montoya.utilities.ByteUtils;
+import burp.config.ProxyConfig;
+import burp.config.SignerConfig;
 import one.d4d.sessionless.itsdangerous.model.SignedTokenObjectFinder;
 
 import java.util.List;
 
 class AnnotationsModifier {
     private final ByteUtils byteUtils;
     private final ProxyConfig proxyConfig;
+    private final SignerConfig signerConfig;
 
-    AnnotationsModifier(ProxyConfig proxyConfig, ByteUtils byteUtils) {
+    AnnotationsModifier(ProxyConfig proxyConfig, SignerConfig signerConfig, ByteUtils byteUtils) {
         this.byteUtils = byteUtils;
         this.proxyConfig = proxyConfig;
+        this.signerConfig = signerConfig;
     }
 
     void updateAnnotationsIfApplicable(Annotations annotations, ByteArray data, List<Cookie> cookies, List<ParsedHttpParameter> params) {
@@ -37,7 +41,7 @@ private void updateAnnotations(Annotations annotations, String messageString, Li
     }
 
     private Counts countExtractedSignedTokenObjects(String messageString, List<Cookie> cookies, List<ParsedHttpParameter> params) {
-        int count = SignedTokenObjectFinder.extractSignedTokenObjects(messageString, cookies, params).size();
+        int count = SignedTokenObjectFinder.extractSignedTokenObjects(signerConfig, messageString, cookies, params).size();
 
         return new Counts(proxyConfig, count);
     }

src/main/java/burp/proxy/ProxyHttpMessageHandler.java

@@ -2,12 +2,14 @@
 
 import burp.api.montoya.proxy.http.*;
 import burp.api.montoya.utilities.ByteUtils;
+import burp.config.ProxyConfig;
+import burp.config.SignerConfig;
 
 public class ProxyHttpMessageHandler implements ProxyRequestHandler, ProxyResponseHandler {
     private final AnnotationsModifier annotationsModifier;
 
-    public ProxyHttpMessageHandler(ProxyConfig proxyConfig, ByteUtils byteUtils) {
-        this.annotationsModifier = new AnnotationsModifier(proxyConfig, byteUtils);
+    public ProxyHttpMessageHandler(ProxyConfig proxyConfig, SignerConfig signerConfig, ByteUtils byteUtils) {
+        this.annotationsModifier = new AnnotationsModifier(proxyConfig, signerConfig, byteUtils);
     }
 
     @Override

src/main/java/burp/proxy/ProxyWsMessageHandler.java

@@ -2,12 +2,14 @@
 
 import burp.api.montoya.proxy.websocket.*;
 import burp.api.montoya.utilities.ByteUtils;
+import burp.config.ProxyConfig;
+import burp.config.SignerConfig;
 
 public class ProxyWsMessageHandler implements ProxyMessageHandler {
     private final AnnotationsModifier annotationsModifier;
 
-    public ProxyWsMessageHandler(ProxyConfig proxyConfig, ByteUtils byteUtils) {
-        this.annotationsModifier = new AnnotationsModifier(proxyConfig, byteUtils);
+    public ProxyWsMessageHandler(ProxyConfig proxyConfig, SignerConfig signerConfig, ByteUtils byteUtils) {
+        this.annotationsModifier = new AnnotationsModifier(proxyConfig, signerConfig, byteUtils);
     }
 
     @Override

src/main/java/one/d4d/sessionless/forms/EditorTab.form

@@ -529,6 +529,81 @@
                   </grid>
                 </children>
               </grid>
+              <grid id="9e45d" layout-manager="GridLayoutManager" row-count="3" column-count="1" same-size-horizontally="false" same-size-vertically="false" hgap="-1" vgap="-1">
+                <margin top="0" left="0" bottom="0" right="0"/>
+                <constraints>
+                  <tabbedpane title-resource-bundle="strings" title-key="unknown_tab_lable"/>
+                </constraints>
+                <properties/>
+                <border type="empty"/>
+                <children>
+                  <grid id="77895" layout-manager="GridLayoutManager" row-count="1" column-count="1" same-size-horizontally="false" same-size-vertically="false" hgap="-1" vgap="-1">
+                    <margin top="0" left="0" bottom="0" right="0"/>
+                    <constraints>
+                      <grid row="0" column="0" row-span="1" col-span="1" vsize-policy="3" hsize-policy="3" anchor="0" fill="3" indent="0" use-parent-layout="false"/>
+                    </constraints>
+                    <properties/>
+                    <border type="line" title-resource-bundle="strings" title-key="unknown_message_label">
+                      <color color="-7763575"/>
+                    </border>
+                    <children>
+                      <scrollpane id="241a5" class="org.fife.ui.rtextarea.RTextScrollPane">
+                        <constraints>
+                          <grid row="0" column="0" row-span="1" col-span="1" vsize-policy="7" hsize-policy="7" anchor="0" fill="3" indent="0" use-parent-layout="false"/>
+                        </constraints>
+                        <properties/>
+                        <border type="none"/>
+                        <children>
+                          <component id="849c2" class="org.fife.ui.rsyntaxtextarea.RSyntaxTextArea" binding="textAreaUnknownStringMessage" custom-create="true">
+                            <constraints/>
+                            <properties>
+                              <currentLineHighlightColor color="-1"/>
+                            </properties>
+                          </component>
+                        </children>
+                      </scrollpane>
+                    </children>
+                  </grid>
+                  <grid id="31275" layout-manager="GridLayoutManager" row-count="1" column-count="1" same-size-horizontally="false" same-size-vertically="false" hgap="-1" vgap="-1">
+                    <margin top="0" left="0" bottom="0" right="0"/>
+                    <constraints>
+                      <grid row="1" column="0" row-span="1" col-span="1" vsize-policy="3" hsize-policy="3" anchor="0" fill="3" indent="0" use-parent-layout="false"/>
+                    </constraints>
+                    <properties/>
+                    <border type="line" title-resource-bundle="strings" title-key="unknown_signature_label">
+                      <color color="-7763575"/>
+                    </border>
+                    <children>
+                      <scrollpane id="62dfa" class="org.fife.ui.rtextarea.RTextScrollPane">
+                        <constraints>
+                          <grid row="0" column="0" row-span="1" col-span="1" vsize-policy="7" hsize-policy="7" anchor="0" fill="3" indent="0" use-parent-layout="false"/>
+                        </constraints>
+                        <properties/>
+                        <border type="none"/>
+                        <children>
+                          <component id="5d611" class="org.fife.ui.rsyntaxtextarea.RSyntaxTextArea" binding="textAreaUnknownStringSignature" custom-create="true">
+                            <constraints/>
+                            <properties>
+                              <currentLineHighlightColor color="-1"/>
+                            </properties>
+                          </component>
+                        </children>
+                      </scrollpane>
+                    </children>
+                  </grid>
+                  <grid id="e5624" binding="panelUnknownStringSeparator" custom-create="true" layout-manager="GridLayoutManager" row-count="1" column-count="1" same-size-horizontally="false" same-size-vertically="false" hgap="-1" vgap="-1">
+                    <margin top="0" left="0" bottom="0" right="0"/>
+                    <constraints>
+                      <grid row="2" column="0" row-span="1" col-span="1" vsize-policy="3" hsize-policy="3" anchor="0" fill="3" indent="0" use-parent-layout="false"/>
+                    </constraints>
+                    <properties/>
+                    <border type="line" title-resource-bundle="strings" title-key="unknown_separator_label">
+                      <color color="-7763575"/>
+                    </border>
+                    <children/>
+                  </grid>
+                </children>
+              </grid>
             </children>
           </tabbedpane>
           <grid id="f207f" layout-manager="GridLayoutManager" row-count="1" column-count="4" same-size-horizontally="false" same-size-vertically="false" hgap="-1" vgap="-1">