https://github.com/d0ge/sessionless

Sessionless is a Burp Suite extension for editing, signing, verifying, attacking signed tokens: Django TimestampSigner, ItsDangerous Signer, Express cookie-session middleware, OAuth2 Proxy and Tornado’s signed cookies.

It provides automatic detection and in-line editing of token within HTTP requests/responses and WebSocket messages, signing of tokens and automation of brute force attacks against signed tokens implementations.

It was inspired by Fraser Winterborn and Dolph Flynn JWT Token extension. The original source code can be found here and here.

Build Instructions

• Ensure that Java JDK 17 or newer is installed
• From root of project, run the command ./gradlew jar
• This should place the JAR file token-library-0.0.1.jar within the build/libs directory
• This can be loaded into Burp by navigating to the Extensions tab, Installed sub-tab, clicking Add and loading the JAR file
• This BApp is using the newer Montoya API so it’s best to use the latest version of Burp (try the earlier adopter channel if there are issues with the latest stable release)

Editable Fields

A JSON text editor is provided to edit each component that contain JSON content:

• Dangerous Payload
• Django Payload (except pickle serialized payload)
• Express Payload

A timestamp editor is provided to edit each component that contain it:

• Dangerous timestamp
• Django timestamp
• OAuth2 Proxy timestamp
• Tornado timestamp

A hex editor is provided to all signed tokens, except Express signatures. NOTE Express Tab doesn’t support signature auto update yet. Please copy it manually to corresponding signature cookie.