in ,


Sessionless – Burp Suite Extension for Editing, Signing, Verifying, Attacking Signed Tokens

Sessionless is a Burp Suite extension for editing, signing, verifying, attacking signed tokens: Django TimestampSignerItsDangerous SignerExpress cookie-session middlewareOAuth2 Proxy and Tornado’s signed cookies.

It provides automatic detection and in-line editing of token within HTTP requests/responses and WebSocket messages, signing of tokens and automation of brute force attacks against signed tokens implementations.

It was inspired by Fraser Winterborn and Dolph Flynn JWT Token extension. The original source code can be found here and here.

Build Instructions

  • Ensure that Java JDK 17 or newer is installed
  • From root of project, run the command ./gradlew jar
  • This should place the JAR file token-library-0.0.1.jar within the build/libs directory
  • This can be loaded into Burp by navigating to the Extensions tab, Installed sub-tab, clicking Add and loading the JAR file
  • This BApp is using the newer Montoya API so it’s best to use the latest version of Burp (try the earlier adopter channel if there are issues with the latest stable release)

Editable Fields

A JSON text editor is provided to edit each component that contain JSON content:

  • Dangerous Payload
  • Django Payload (except pickle serialized payload)
  • Express Payload

A timestamp editor is provided to edit each component that contain it:

  • Dangerous timestamp
  • Django timestamp
  • OAuth2 Proxy timestamp
  • Tornado timestamp

A hex editor is provided to all signed tokens, except Express signatures. NOTE Express Tab doesn’t support signature auto update yet. Please copy it manually to corresponding signature cookie.

Leave a Reply

Your email address will not be published. Required fields are marked *

GIPHY App Key not set. Please check settings

What do you think?

13 Points
Upvote Downvote

Posted by Prapattimynk

OpenStego – Hide Data In Harmless Looking Files

Slient URL Exploit Hidden Downloader