Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to sign JWT after creating symmetric key #19

Open
prasgop opened this issue May 22, 2023 · 12 comments
Open

Unable to sign JWT after creating symmetric key #19

prasgop opened this issue May 22, 2023 · 12 comments

Comments

@prasgop
Copy link

prasgop commented May 22, 2023

I have noticed this issue with different lab cases, not with just one case. It is working fine with RSA keys but I am not able to sign the token after creating symmetric keys, and I am not able to complete respective labs. After clicking the ok (shown in the 3rd screenshot below, it does not go anywhere; the pop-up screen just stays there and the token won't get signed. The pop-up disappears if I click cancel though)

screenshots attached below from a portswigger lab(JWT authentication bypass via kid header path traversal) -

ss1
ss2
ss3

Yesterday, I was trying a simple lab of finding the secret using hashcat, creating a symmetric key of the same and signing the token with it. I faced the same issue in that case too. I kept clicking ok to sign but nothing happened. I was able to complete that token and lab using jwt.io. For the latest case mentioned above however, I do not know how to edit 'k' and sign the token if the extension doesn't work.

Any help?
Please let me know if you need any additional info to understand the issue.
Thanks in advance!
@prasgop
Copy link
Author

prasgop commented May 22, 2023

Just to clarify, the issue is with the 'ok' button on the final signing screen only. I tried to switch between radio buttons and see but noticed that the selection on 'Don't modify header' is just disappearing without any further changes. It just hangs there unless I click cancel.

@DolphFlynn
Copy link
Contributor

Hi @prasgop @i've not managed to reproduce your issue with the symmetric key 'AA=='. This should be padded with null bytes before signing to work around a length constraint. It sounds like an exception is being thrown during the signing operation. Do you see anything logged out if you start Burp manually from a console?

@prasgop
Copy link
Author

prasgop commented May 22, 2023

Thanks for the quick response.
I have also seen a mentioning about length in some online sources, but the videos under community solutions for the lab had it performed with just base-64 encoding of a null byte and no additional padding. The lab solution says the same. I am however not able to reproduce the scenario as it's not doing anything when I click ok to sign. Rest all looks fine so far with the extension and burp. I am not seeing anything different than usual when starting or closing burp. Is there something that you want me to check specifically? or if you want me to try padding, can you please tell me how to?
Thanks

@prasgop
Copy link
Author

prasgop commented May 22, 2023

Just a quick update -
I have tried the same lab in my kali vm using burp community now. JWT editor signing function worked fine and I am able to complete the lab. Not sure as to why that particular button is not working when I am using the editor in my host machine burp!! Wish I could have it working in my host too.

Thanks

@DolphFlynn
Copy link
Contributor

The extension pads symmetric keys less than 64 bytes so your key should work fine. If you can reproduce the issue on your host machine then there may be something useful logged to the console.

@prasgop
Copy link
Author

prasgop commented May 22, 2023

Can you please tell me where should I check for that log?

Thanks

@DolphFlynn
Copy link
Contributor

Sure. You can get Burp to log to a file by enabling 'Log performance data to a local directory'. This can be found within Settings -> Suite -> Performance Update.

Alternatively if you start Burp from the command line any exceptions should get logged to either stdout or stderr.

If either of these print anything related to your JWT signing then we should be able see what's going on.

@pandak1d
Copy link

pandak1d commented Jul 13, 2023
edited

In the new version of Burpsuite, when you click SIGN, there is no response (at this time Alg is HS256)
image

@pandak1d
Copy link

Sure. You can get Burp to log to a file by enabling 'Log performance data to a local directory'. This can be found within Settings -> Suite -> Performance Update.

Alternatively if you start Burp from the command line any exceptions should get logged to either stdout or stderr.

If either of these print anything related to your JWT signing then we should be able see what's going on.

it have nothing!

@DolphFlynn
Copy link
Contributor

@pandak1d Can you post the corresponding key in either PEM or JWK format?

@pandak1d
Copy link

@pandak1d Can you post the corresponding key in either PEM or JWK format?

yes, I can!

@pandak1d
Copy link

pandak1d commented Aug 16, 2023
edited

Sure. You can get Burp to log to a file by enabling 'Log performance data to a local directory'. This can be found within Settings -> Suite -> Performance Update.

Alternatively if you start Burp from the command line any exceptions should get logged to either stdout or stderr.

If either of these print anything related to your JWT signing then we should be able see what's going on.

java 17.0.7

java.lang.SecurityException: JCE cannot authenticate the provider BC
        at java.base/javax.crypto.JceSecurity.getInstance(JceSecurity.java:144)
        at java.base/javax.crypto.Mac.getInstance(Mac.java:272)
        at com.nimbusds.jose.crypto.impl.HMAC.getInitMac(HMAC.java:52)
        at com.nimbusds.jose.crypto.impl.HMAC.compute(HMAC.java:118)
        at com.nimbusds.jose.crypto.impl.HMAC.compute(HMAC.java:94)
        at com.nimbusds.jose.crypto.MACSigner.sign(MACSigner.java:193)
        at com.blackberry.jwteditor.utils.CryptoUtils.sign(CryptoUtils.java:100)
        at com.blackberry.jwteditor.operations.Operations.sign(Operations.java:95)
        at com.blackberry.jwteditor.view.dialog.operations.SignDialog.onOK(SignDialog.java:144)
        at com.blackberry.jwteditor.view.dialog.operations.SignDialog.lambda$new$0(SignDialog.java:73)
        at java.desktop/javax.swing.AbstractButton.fireActionPerformed(AbstractButton.java:1972)
        at java.desktop/javax.swing.AbstractButton$Handler.actionPerformed(AbstractButton.java:2313)
        at java.desktop/javax.swing.DefaultButtonModel.fireActionPerformed(DefaultButtonModel.java:405)
        at java.desktop/javax.swing.DefaultButtonModel.setPressed(DefaultButtonModel.java:262)
        at java.desktop/javax.swing.plaf.basic.BasicButtonListener.mouseReleased(BasicButtonListener.java:279)
        at java.desktop/java.awt.Component.processMouseEvent(Component.java:6626)
        at java.desktop/javax.swing.JComponent.processMouseEvent(JComponent.java:3389)
        at java.desktop/java.awt.Component.processEvent(Component.java:6391)
        at java.desktop/java.awt.Container.processEvent(Container.java:2266)
        at java.desktop/java.awt.Component.dispatchEventImpl(Component.java:5001)
        at java.desktop/java.awt.Container.dispatchEventImpl(Container.java:2324)
        at java.desktop/java.awt.Component.dispatchEvent(Component.java:4833)
        at java.desktop/java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4948)
        at java.desktop/java.awt.LightweightDispatcher.processMouseEvent(Container.java:4575)
        at java.desktop/java.awt.LightweightDispatcher.dispatchEvent(Container.java:4516)
        at java.desktop/java.awt.Container.dispatchEventImpl(Container.java:2310)
        at java.desktop/java.awt.Window.dispatchEventImpl(Window.java:2780)
        at java.desktop/java.awt.Component.dispatchEvent(Component.java:4833)
        at java.desktop/java.awt.EventQueue.dispatchEventImpl(EventQueue.java:773)
        at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:722)
        at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:716)
        at java.base/java.security.AccessController.doPrivileged(AccessController.java:399)
        at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:86)
        at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:97)
        at java.desktop/java.awt.EventQueue$5.run(EventQueue.java:746)
        at java.desktop/java.awt.EventQueue$5.run(EventQueue.java:744)
        at java.base/java.security.AccessController.doPrivileged(AccessController.java:399)
        at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:86)
        at java.desktop/java.awt.EventQueue.dispatchEvent(EventQueue.java:743)
        at java.desktop/java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:203)
        at java.desktop/java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:124)
        at java.desktop/java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:117)
        at java.desktop/java.awt.WaitDispatchSupport$2.run(WaitDispatchSupport.java:191)
        at java.desktop/java.awt.WaitDispatchSupport$4.run(WaitDispatchSupport.java:236)
        at java.desktop/java.awt.WaitDispatchSupport$4.run(WaitDispatchSupport.java:234)
        at java.base/java.security.AccessController.doPrivileged(AccessController.java:318)
        at java.desktop/java.awt.WaitDispatchSupport.enter(WaitDispatchSupport.java:234)
        at java.desktop/java.awt.Dialog.show(Dialog.java:1080)
        at java.desktop/java.awt.Component.show(Component.java:1728)
        at java.desktop/java.awt.Component.setVisible(Component.java:1675)
        at java.desktop/java.awt.Window.setVisible(Window.java:1036)
        at java.desktop/java.awt.Dialog.setVisible(Dialog.java:1016)
        at com.blackberry.jwteditor.presenter.EditorPresenter.signingDialog(EditorPresenter.java:342)
        at com.blackberry.jwteditor.presenter.EditorPresenter.onSignClicked(EditorPresenter.java:321)
        at com.blackberry.jwteditor.view.EditorView.lambda$new$12(EditorView.java:144)
        at java.desktop/javax.swing.AbstractButton.fireActionPerformed(AbstractButton.java:1972)
        at java.desktop/javax.swing.AbstractButton$Handler.actionPerformed(AbstractButton.java:2313)
        at java.desktop/javax.swing.DefaultButtonModel.fireActionPerformed(DefaultButtonModel.java:405)
        at java.desktop/javax.swing.DefaultButtonModel.setPressed(DefaultButtonModel.java:262)
        at java.desktop/javax.swing.plaf.basic.BasicButtonListener.mouseReleased(BasicButtonListener.java:279)
        at java.desktop/java.awt.Component.processMouseEvent(Component.java:6626)
        at java.desktop/javax.swing.JComponent.processMouseEvent(JComponent.java:3389)
        at java.desktop/java.awt.Component.processEvent(Component.java:6391)
        at java.desktop/java.awt.Container.processEvent(Container.java:2266)
        at java.desktop/java.awt.Component.dispatchEventImpl(Component.java:5001)
        at java.desktop/java.awt.Container.dispatchEventImpl(Container.java:2324)
        at java.desktop/java.awt.Component.dispatchEvent(Component.java:4833)
        at java.desktop/java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4948)
        at java.desktop/java.awt.LightweightDispatcher.processMouseEvent(Container.java:4575)
        at java.desktop/java.awt.LightweightDispatcher.dispatchEvent(Container.java:4516)
        at java.desktop/java.awt.Container.dispatchEventImpl(Container.java:2310)
        at java.desktop/java.awt.Window.dispatchEventImpl(Window.java:2780)
        at java.desktop/java.awt.Component.dispatchEvent(Component.java:4833)
        at java.desktop/java.awt.EventQueue.dispatchEventImpl(EventQueue.java:773)
        at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:722)
        at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:716)
        at java.base/java.security.AccessController.doPrivileged(AccessController.java:399)
        at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:86)
        at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:97)
        at java.desktop/java.awt.EventQueue$5.run(EventQueue.java:746)
        at java.desktop/java.awt.EventQueue$5.run(EventQueue.java:744)
        at java.base/java.security.AccessController.doPrivileged(AccessController.java:399)
        at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:86)
        at java.desktop/java.awt.EventQueue.dispatchEvent(EventQueue.java:743)
        at java.desktop/java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:203)
        at java.desktop/java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:124)
        at java.desktop/java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:113)
        at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:109)
        at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
        at java.desktop/java.awt.EventDispatchThread.run(EventDispatchThread.java:90)
Caused by: java.util.jar.JarException: The JCE Provider file:/C:/Software/BurpSuite/burpsuite_pro_org.jar is not signed.
        at java.base/javax.crypto.JarVerifier.verifySingleJar(JarVerifier.java:464)
        at java.base/javax.crypto.JarVerifier.verifyJars(JarVerifier.java:317)
        at java.base/javax.crypto.JarVerifier.verify(JarVerifier.java:260)
        at java.base/javax.crypto.ProviderVerifier.verify(ProviderVerifier.java:130)
        at java.base/javax.crypto.JceSecurity.verifyProvider(JceSecurity.java:190)
        at java.base/javax.crypto.JceSecurity.getVerificationResult(JceSecurity.java:218)
        at java.base/javax.crypto.JceSecurity.getInstance(JceSecurity.java:140)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pandak1d @DolphFlynn @prasgop