New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to sign JWT after creating symmetric key #19
Comments
Just to clarify, the issue is with the 'ok' button on the final signing screen only. I tried to switch between radio buttons and see but noticed that the selection on 'Don't modify header' is just disappearing without any further changes. It just hangs there unless I click cancel. |
Hi @prasgop @i've not managed to reproduce your issue with the symmetric key 'AA=='. This should be padded with null bytes before signing to work around a length constraint. It sounds like an exception is being thrown during the signing operation. Do you see anything logged out if you start Burp manually from a console? |
Thanks for the quick response. |
Just a quick update - Thanks |
The extension pads symmetric keys less than 64 bytes so your key should work fine. If you can reproduce the issue on your host machine then there may be something useful logged to the console. |
Can you please tell me where should I check for that log? Thanks |
Sure. You can get Burp to log to a file by enabling 'Log performance data to a local directory'. This can be found within Settings -> Suite -> Performance Update. Alternatively if you start Burp from the command line any exceptions should get logged to either stdout or stderr. If either of these print anything related to your JWT signing then we should be able see what's going on. |
it have nothing! |
@pandak1d Can you post the corresponding key in either PEM or JWK format? |
yes, I can! |
java 17.0.7
|
I have noticed this issue with different lab cases, not with just one case. It is working fine with RSA keys but I am not able to sign the token after creating symmetric keys, and I am not able to complete respective labs. After clicking the ok (shown in the 3rd screenshot below, it does not go anywhere; the pop-up screen just stays there and the token won't get signed. The pop-up disappears if I click cancel though)
screenshots attached below from a portswigger lab(JWT authentication bypass via kid header path traversal) -
Yesterday, I was trying a simple lab of finding the secret using hashcat, creating a symmetric key of the same and signing the token with it. I faced the same issue in that case too. I kept clicking ok to sign but nothing happened. I was able to complete that token and lab using jwt.io. For the latest case mentioned above however, I do not know how to edit 'k' and sign the token if the extension doesn't work.
Any help?
Please let me know if you need any additional info to understand the issue.
Thanks in advance!
The text was updated successfully, but these errors were encountered: