- Save the script as JWTManipulationTool.py.
- Open Burp Suite and navigate to the "Extender" tab.
- Click on the "Extensions" tab and then the "Add" button.
- Select "Python" as the extension type and load JWTManipulationTool.py.
- Navigate to the "JWT Manipulation" tab that appears.
- You'll see the UI components for encoding, decoding, signing, and verifying JWTs.
- Detailed Example for Each Functionality:
- Decoding a JWT
You have intercepted a JWT in a request and want to decode it to see its contents.
- Use Burp Suite's proxy to intercept a request containing a JWT.
- For example, the JWT might be in the Authorization header or a request parameter.
- Copy the JWT value (e.g., eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c).
- Navigate to the "JWT Manipulation" tab.
- Paste the JWT into the "JWT" field.
- Click the "Decode JWT" button.
- The tool will display the decoded header, payload, and signature in a message box.
- Review the decoded header and payload for sensitive information.
- For example, the payload might contain user information such as {"sub": "1234567890", "name": "John Doe", "iat": 1516239022}.
You want to create a new JWT with specific claims.
- Navigate to the "JWT Manipulation" tab.
- Enter the desired header in JSON format. For example: {"alg": "HS256", "typ": "JWT"}.
- Enter the desired payload in JSON format. For example: {"sub": "1234567890", "name": "Jane Doe", "iat": 1516239022}.
- Enter the secret key that will be used to sign the JWT. For example: your-256-bit-secret.
- Click the "Encode JWT" button.
- The tool will display the encoded JWT in a message box. For example: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkphbmUgRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.4t9_JLZdx1Jd_wVtG9Gy_GcnmfsAsys_8Q1Z8uN9h6E.
- Copy the encoded JWT and use it in your testing scenarios, such as modifying a request in Burp Suite.
- Signing a JWT
You have a JWT with a modified payload and need to re-sign it.
- Decode the JWT using the steps described above.
- Modify the payload as needed. For example, change the name claim to {"sub": "1234567890", "name": "Jane Smith", "iat": 1516239022}.
- Encode the modified JWT without a signature.
- Navigate to the "JWT Manipulation" tab.
- Paste the modified JWT into the "JWT" field.
- Enter the secret key used for signing. For example: your-256-bit-secret.
- Select the signing algorithm (e.g., HS256).
- Click the "Sign JWT" button.
The tool will display the new signed JWT in a message box. For example: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkphbmUgU21pdGgiLCJpYXQiOjE1MTYyMzkwMjJ9.nGOW-U6x-SiJxFzR_ZKJPPv3XeJXmn5vEkVVi0VDibQ.
- Copy the signed JWT and use it in your testing scenarios.
- Verifying a JWT
You want to verify the validity of a JWT.
- Obtain the JWT:
- Capture the JWT you want to verify from an intercepted request.
- Verify the JWT:
- Navigate to the "JWT Manipulation" tab.
- Paste the JWT into the "JWT" field.
- Enter the secret key used for signing. For example: your-256-bit-secret.
- Select the signing algorithm (e.g., HS256).
- Click the "Verify JWT" button.
The tool will display a message indicating whether the JWT is valid or invalid.
- Intercept JWT Traffic:
- Use Burp Suite to capture traffic containing JWTs.
- Decode and Analyze:
- Decode the JWT to inspect the claims and ensure they don’t contain sensitive information.
- Modify and Test:
- Modify the JWT payload to test authorization and authentication mechanisms.
- Encode and Sign:
- Create new JWTs with specific claims and sign them for testing purposes.
- Verify Validity:
- Ensure JWTs are correctly signed and valid before using them in requests.
Hidden Parameters Detector
- Save the script as Hidden-Parameters.py.
- Open Burp Suite and navigate to the "Extender" tab.
- Click on the "Extensions" tab and then the "Add" button.
- Select "Python" as the extension type and load Hidden-Parameters.py.
- After loading, navigate to the "Hidden Params Detector" tab.
- The tool will automatically start checking responses for hidden parameters.
- The output will list detected hidden parameters in HTTP responses.
- Parameters will be highlighted, and relevant issues will be logged.
- Steps in Real-World Use:
- Monitor the "Hidden Params Detector" tab for any detected hidden parameters.
- Investigate highlighted parameters to understand their purpose and potential security implications.
- Save the script as DataLeak.py.
- Open Burp Suite and navigate to the "Extender" tab.
- Click on the "Extensions" tab and then the "Add" button.
- Select "Python" as the extension type and load DataLeak.py.
- Navigate to the "Data Leak Prevention" tab that appears.
- Optionally load additional patterns by clicking the "Load Patterns" button and selecting a file with regex patterns.
- Perform web application testing as usual.
- The tool will analyze HTTP responses for predefined patterns (e.g., SSNs, credit card numbers).
- Detected data leaks will be displayed in the text area with the pattern that matched.
- Configure the tool with additional patterns if necessary.
- Perform web application testing.
- Monitor the "Data Leak Prevention" tab for any detected data leaks.
- Address any found issues by reviewing and fixing the code or configuration that leaks sensitive data.
- Identify the target domains and applications.
- Load all necessary extensions in Burp Suite.
- Use Burp Suite’s proxy to intercept and examine traffic.
- Let the extensions run their checks in the background.
- Review the output from each extension tab.
- Document and prioritize the issues based on severity.
- Fix identified issues in the application code or configuration.
- Re-test to ensure issues are resolved.