An overview of SignSaboteur
SignSaboteur is a Burp Suite extension that automates the assessment and exploitation of signed web tokens. Supporting various token types, including Django, Flask, and Express, it enables you to edit, sign, verify and attack these tokens.
The extension features automatic detection and in-line editing of tokens within HTTP requests/responses and WebSocket messages. It includes prebuilt wordlists for default secret keys and salts, plus support for JSON-encoded strings and custom dictionaries. Users can save known keys for future attacks and modify signed tokens in Proxy and Repeater message editors.
Key features of SignSaboteur
- Automatic Detection & Editing: Inline editing of tokens within HTTP requests/responses and WebSocket messages.
- Prebuilt Wordlists: Includes default secret keys and salts, plus support for custom dictionaries and JSON-encoded strings.
- Brute Force Attacks: Automates brute force attacks using known keys and different derivation techniques.
- Authorisation Bypass Attacks: Supports multiple bypass attacks, including user claims, and Flask and Express claims.
- Unknown Signed Strings Mode: Detects and analyses unknown signed tokens using various hashing functions.
Getting started with SignSaboteur
SignSaboteur can be installed from the BApp Store. A tab within the Repeater provides easy access to various functionalities, such as "Brute force", "Attack" and "Sign". The plugin settings, such as default implemented wordlists, can be found higher up in Burp Suite itself.
Case Study: Finding Secret Keys for Unknown Signed Web Tokens
Consider a scenario where you are testing an application that uses custom-signed web tokens for authentication. You need to determine the secret key used to sign these tokens to evaluate potential security flaws.
When dealing with unknown signed web tokens, SignSaboteur provides a robust method to identify and exploit potential vulnerabilities.
When you select "Unknown" in the "Enabled signers" menu, the extension looks for patterns that match the size of common hashing functions. Some message payloads might be incorrectly identified by SignSaboteur, and therefore require further manual inspection.
The extension supports various message and key derivation techniques used in brute-force attacks, eliminating the need for manual changes. To find the secret key of an unknown signed token:
- Navigate to the Unknown tab
- Click "Brute force"
- Choose from "Balanced" or "Deep" mode
Balanced Mode: Deep Mode: Includes slow hashing functions like Password-Based Key Derivation Function 2 (PBKDF2). Use this mode with caution, and only with small wordlists, as it can be time-consuming.
Deep Mode: Includes slow hashing functions like Password-Based Key Derivation Function 2 (PBKDF2). Use this mode with caution, and only with small wordlists, as it can be time-consuming.
Account User Claims, Authenticated Claims, User Access Token Attacks
Some frameworks use account wrappers to store authenticated user information, which may require the use of authenticated claims for exploitation. SignSaboteur supports this by implementing 12 well-known authorisation flags.
The ‘User Access Token’ option generates a JWT OpenID Connect ID token signed with the same key and hashing algorithm without key derivation, simplifying the process of forging valid tokens.
These techniques provide multiple vectors for bypassing authentication and gaining unauthorised access to sensitive resources.
Username and Password Claims, Flask Claims, Express Claims Attacks
Applications often store user details using "username" and "password" JSON attributes. SignSaboteur can generate a placeholder token for an admin user using these attributes.
In Flask applications, client-side stored session information typically includes attributes like "id", "_id", "user_id" or "_user_id". The extension can create a session token for the first user, usually the admin.
Similarly, in Express applications the "passport" JSON attribute is used to store user details, and SignSaboteur can generate a placeholder for the admin user, facilitating privilege escalation.
Useful Tips
SignSaboteur not only saves time by automatically detecting and editing tokens within HTTP requests and WebSocket messages, but also helps identify vulnerabilities that manual inspections might miss. Moreover, by using the extension’s pre-built wordlists to check for common weak secret keys and configurations, you can ensure a thorough security assessment while minimising the risk of server overload.