Enhancement: adding SessionHandling controller

[virusvfv]

I think that JWT4B needs supporting for burp SessionHandling. (ex: it would be sessionhandling controller or some else)..
On other words, we set signing algorithm an signing key and use JWT4B as SessionHandling extension to re-sign every JWT that correspond our session rules (for example: every JWT in packets to login.microsoftonline.com).
With this feature we can automatically fuzz fields inside JWT with Burp.

[ozzi-]

Can you send me any link to get started / read about this matter?

[virusvfv]

I'll check some ideas about it and will be back after couple days...

[virusvfv]

Hi once more...)
After some experiments with burp and jwt's I got next idea...
Suppose we have some JWT (in decoded view)

Headers = {
  "typ": "JWT",
  "alg": "HS256",
  "someeader1": "blabla1",
  "someeader2": "blabla2"
}
Payload = {
  "payload1": "payloadstring",
  "payload2": "true",
}
Signature = "12345"

and we want to fuzz someheader1 and payload1.
We can't do this with burp intruder or burp scanner. We can do this only with repeater and JWT4B in manual mode using HS256 or RSA key to correct sign every time.
So my idea is:
Let put our JWT in CLEARTEXT in Intruder or Repeated, give it some "brackets" (for ex: JWTFUZZ words) and make some extension that will encode and sign JWT inside our "brackets".
So our request in intruder will be:

POST  /jwtlogin
Cookie: blabla
Authorization: Bearer JWTFUZZ
Headers = {
  "typ": "JWT",
  "alg": "HS256",
  "someeader1": "blabla1",
  "someeader2": "blabla1"
}
Payload = {
  "payload1": "payloadstring",
  "payload2": "true",
}
Signature = "12345"JWTFUZZ
Accept: application/json
Content-Length: 2716

Therefor JWT4B must search "brackets", parse jsons inside "brackets", encode it to correct JWT and sign it with HS256 or RSA key.
To do this (I think) JWT4B must have some SessionHandler controller that will be parse requests and resign it automatically.
With this option we can simply set FUZZpoint in intruder or scanner and start fuzzing.

As example and as temporary solution I created Jython script which do this with BurpScripter extension:

https://github.com/virusvfv/burpscripts/blob/master/jwtfuzz.py

I tested it with MS Office365 JWTs. It works. Unfortunately to make it works we have to do many additional doings with burp: install jython, correct setup jython in burp, install additional libs (such as pyjwt, hashlib and others), etc...

So if you have some free time you would create similar functionality for JWT4B. It would be nice to have all in one burp extension..

[ozzi-]

Hi @virusvfv
Thank you for the elaborations, I was very busy at work and only managed to read this now.
Starting next week I will be on an extended holiday.
When I return, I will give this a try - maybe somebody else has some time until then.

Best regards & see you