GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → nccgroup → HTTPSignatures

nccgroup / HTTPSignatures

Licence: MIT license
A Burp Suite extension implementing the Signing HTTP Messages draft-ietf-httpbis-message-signatures-01 draft.

Programming Languages

java
68154 projects - #9 most used programming language

Labels

httpsignatures

Projects that are alternatives of or similar to HTTPSignatures

signdocs
Full-stack clone of DocuSign
Stars: ✭ 58 (+52.63%)
Mutual labels:  signatures
signatory
Differentiable computations of the signature and logsignature transforms, on both CPU and GPU. (ICLR 2021)
Stars: ✭ 153 (+302.63%)
Mutual labels:  signatures
crypto-primitives
Interfaces and implementations of cryptographic primitives, along with R1CS constraints for them
Stars: ✭ 76 (+100%)
Mutual labels:  signatures
Sig
The most powerful and customizable binary pattern scanner
Stars: ✭ 131 (+244.74%)
Mutual labels:  signatures
Deep-Signature-Transforms
Code for "Deep Signature Transforms" (NeurIPS 2019)
Stars: ✭ 65 (+71.05%)
Mutual labels:  signatures
bip-schnorr
Pure JavaScript implementation of BIP340 Schnorr Signatures for secp256k1
Stars: ✭ 78 (+105.26%)
Mutual labels:  signatures
nativescript-drawingpad
📝 NativeScript plugin to provide a way to capture any drawing (signatures are a common use case) from the device
Stars: ✭ 89 (+134.21%)
Mutual labels:  signatures
fa
Automation tool for locating symbols & structs in binary (primary IDA focused)
Stars: ✭ 58 (+52.63%)
Mutual labels:  signatures
pytkdocs
Load Python objects documentation.
Stars: ✭ 44 (+15.79%)
Mutual labels:  signatures
4bytes
List of 4byte identifiers for EVM smart contract functions
Stars: ✭ 326 (+757.89%)
Mutual labels:  signatures
sig
Validate Method Arguments & Results in Ruby
Stars: ✭ 54 (+42.11%)
Mutual labels:  signatures
wasmsign2
PoC implementation of the WebAssembly Modules Signatures proposal.
Stars: ✭ 18 (-52.63%)
Mutual labels:  signatures
Sigma
Generic Signature Format for SIEM Systems
Stars: ✭ 4,418 (+11526.32%)
Mutual labels:  signatures
detection
Detection in the form of Yara, Snort and ClamAV signatures.
Stars: ✭ 70 (+84.21%)
Mutual labels:  signatures
Function-Parameters
Function::Parameters - define functions and methods with parameter lists ("subroutine signatures")
Stars: ✭ 19 (-50%)
Mutual labels:  signatures
httpsig
Golang implementation of the HTTP Signatures RFC draft, with SSH support!
Stars: ✭ 58 (+52.63%)
Mutual labels:  signatures
salty
25519 for Cortex-M4 microcontrollers
Stars: ✭ 50 (+31.58%)
Mutual labels:  signatures
keygaen
Sign, verify, encrypt and decrypt data with PGP in your browser.
Stars: ✭ 78 (+105.26%)
Mutual labels:  signatures
rust-minisign
A pure Rust implementation of the Minisign signature tool.
Stars: ✭ 76 (+100%)
Mutual labels:  signatures
neuralRDEs
Code for: "Neural Rough Differential Equations for Long Time Series", (ICML 2021)
Stars: ✭ 102 (+168.42%)
Mutual labels:  signatures
View All Similar Projects ➔

HTTPSignatures Burp Suite Extension

HTTPSignatures is a Burp Suite extension that implements the Signing HTTP Messages draft-ietf-httpbis-message-signatures-01 specification draft document. This allows Burp Suite users to seamlessly test applications that require HTTP Signatures.

Features

  • Automatically creates a new signature and digest in Burp Repeater, Intruder, and Scanner when the extension detects an existing HTTP Signature header.
  • Supports the rsa-sha256 algorithm for signing messages (RSASSA-PKCS1-v1_5 [RFC8017] using SHA-256 [RFC6234]) and SHA-256 for the digest header.
  • The extension works in Burp Suite Professional and in the free Burp Suite Community Edition.

Usage

Installation

Download the latest JAR release file and add it in Burp Suite through Extender Tab / Extensions / Add.

Configuration

  1. After loading the extension a new HTTP Signatures menu item will be added to Burp.
  2. Open the configuration tab (click the HTTP Signatures menu item).
  3. The minimum configuration requires the Header Name, the keyId, and the Private key file name and path to be configured. See below for the detailed description.
  4. You can now use Burp Proxy, Repeater, Intruder, and Scanner. The extension will create a new Signature for each request that contains the configured Header Name.

Usage

After HTTPSignatures has been correctly configured, the Burp Suite extension will replace the HTTP header value configured in the Header Name setting (e.g. Signature) with a new signature for every HTTP request sent through Burp Proxy, Repeater, Intruder, and Scanner.

HTTPSignatures Configuration

Documentation

The Burp Suite extension must be configured before it can be used. The HTTPSignatures configuration can be found in the Burp menu after it has been loaded (usually on the right of the Help menu). The Header Name, the keyId, and the Private key file name and path have to be correctly configured for the extension to work. The remaining settings can optionally be adjusted.

  • Header Name: (sample values: Authorization, Signature): The name of the HTTP request header that includes the signature. The IETF draft is using the Signature header name. Oracle Cloud (OCI) is using the Authorization header name.

  • keyId: The keyId parameter is a US-ASCII string used by a verifier to identify and/or obtain the signature's verification key. Sample values can look like https://mastodon.example.com/users/myUser (for ActivityPub) or ocid1.tenancy.oc1.../ocid1.user.oc1.../{fingerprint} for OCI.

  • Private key file name and path: The full path and file name containing the private key (e.g. /home/${USER}/private_key.pem).

  • Digest Header Name: The name of the header containing the digest. This should be either x-content-sha256 (for OCI) or digest for most other implementations.

  • Header Names to Sign: GET: The header names to include for GET requests (e.g. date (request-target) host). The (request-target) value is a special identifier consisting of the request method and the path and query of the request URI (e.g. get /foo?param=value).

  • Header Names to Sign: HEAD: The header names to include in HEAD requests (e.g. date (request-target) host).

  • Header Names to Sign: DELETE: The header names to include in DELETE requests (e.g. date (request-target) host).

  • Header Names to Sign: PUT: The header names to include in PUT requests (e.g. date (request-target) host content-length content-type digest).

  • Header Names to Sign: POST: The header names to inlcude in POST requets (e.g. date (request-target) host content-length content-type digest).

  • Include query parameters in Signature: This boolean value specifies if query parameters (e.g. ?param=value) should be included in the signature. While the draft standard specifies that query parameters are part of the (request-target) identifier, not all implementations include query parameters. The default value is true.

  • Include the port in Signature: Some implementations do not include the port in the host header (e.g. localhost:8080). This setting allows to remove the port from the host header value if set to false. The default value is true.

Profiles

The HTTPSignatures configuration allows to configure multiple profiles in tabs. Create a new tab by clicking on the ... tab. You can name tabs by double clicking on a tab. To save a tab click the "Save" button. To mark a tab as the active profile, click the "Use this profile" button. The active tab (profile) is marked with red font and border.

Global Configuration Settings

The global configuration section contains settings that apply to all profiles.

  • Enable the extension for the following Burp Suite tools: The extension can be enabled or disabled for the following Burp Suite tools:

    • Proxy (default: disabled)
    • Scanner (default: enabled)
    • Intruder (default: enabled)
    • Repeater (default: enabled)

    The proxy is disabled by default. The other tools are enabled by default. The proxy tool should usually only be enabled when using the intercept feature. The extension will not update the signature when it is disabled.

  • Enable Debug Logs: Enabling this checkbox will print debug logs to the standard output. The output can be configured in Burp Suite under Extender -> Extensions, then select the Signing HTTP Messages extension. In the Output tab you can select where the standard output will be shown. The default is Shown in UI where the output will be displayed within Burp Suite.

Example Configurations

ActivityPub

ActivityPub uses HTTP Signatures for server to server authentication and authorization.

  • Header Name: Signature
  • keyId: The keyId should link to the actor so that the publicKey field can be retrieved: https://mastodon.online/users/viktor. You can use curl to retrieve the key: curl https://mastodon.online/users/viktor -H 'Accept: application/activity+json'|jq
  • Private key file name and path: /home/user/private_key.pem
  • Digest Header Name: digest
  • Header Names to Sign: GET: date (request-target) host
  • Header Names to Sign: HEAD: date (request-target) host
  • Header Names to Sign: DELETE: date (request-target) host
  • Header Names to Sign: PUT: date (request-target) host content-length content-type digest
  • Header Names to Sign: POST: date (request-target) host content-length content-type digest
  • Include query parameters in Signature: true
  • Include the port in Signature: true

Oracle Cloud Infrastructure (OCI)

All Oracle Cloud Infrastructure (OCI) API requests require HTTP Signatures. The implementation is based on the draft specification with some modifications.

  • Header Name: Authorization
  • keyId: <TENANCY OCID>/<USER OCID>/<KEY FINGERPRINT>, e.g. ocid1.tenancy.oc1..<unique_ID>/ocid1.user.oc1..<unique_ID>/<key_fingerprint>
  • Private key file name and path: /home/user/private_key.pem
  • Digest Header Name: x-content-sha256
  • Header Names to Sign: GET: date (request-target) host
  • Header Names to Sign: HEAD: date (request-target) host
  • Header Names to Sign: DELETE: date (request-target) host
  • Header Names to Sign: PUT: date (request-target) host content-length content-type x-content-sha256
  • Header Names to Sign: POST: date (request-target) host content-length content-type x-content-sha256
  • Include query parameters in Signature: true
  • Include the port in Signature: true

Building with IntelliJ IDEA

  1. Clone this repository and Open or Import the HTTPSignatures folder in IntelliJ IDEA.
  2. Compile the project (Build -> Build Project)
  3. Create a JAR file to import in Burp Suite: Go to File -> Project Structure, select Project Settings -> Artifacts.
  4. Click the plus sign to create a new JAR file "From modules with dependencies" and click OK.
  5. Select the "Include in project build" checkbox to automatically create a JAR file when building the project and click OK.
  6. Build the project again (Ctrl+F9 or ⌘+F9).
  7. The JAR file is created in the project folder at out/artifacts/HTTPSignatures_jar/HTTPSignatures.jar.
  8. Load the JAR file in Burp through the Extender Tab -> Extensions -> Add.

Building on the Command Line using Maven

  1. Clone this repository.
  2. Compile the project and create a JAR file with the command mvn package assembly:single.
  3. The JAR file is created in the project folder at target/HTTPSignatures-1.0-SNAPSHOT-jar-with-dependencies.jar.
  4. Load the JAR file in Burp through the Extender Tab -> Extensions -> Add.

Dependencies

Three dependencies are required to build the Java project:

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].