first commit

Author: sanktjodel

.gitignore

@@ -0,0 +1,4 @@
+*.iml
+.idea/
+out/
+target/

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2020 NCC Group Plc
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,149 @@
+# `HTTPSignatures` Burp Suite Extension
+
+`HTTPSignatures` is a Burp Suite extension that implements the Signing HTTP Messages [`draft-ietf-httpbis-message-signatures-01`](https://tools.ietf.org/html/draft-ietf-httpbis-message-signatures-01) specification draft document.
+This allows Burp Suite users to seamlessly test applications that require HTTP Signatures.
+
+
+## Features
+
+- Automatically creates a new signature and digest in Burp Repeater, Intruder, and Scanner when the extension detects an existing HTTP Signature header. 
+- Supports the `rsa-sha256` algorithm for signing messages (`RSASSA-PKCS1-v1_5` [[RFC8017](https://tools.ietf.org/html/rfc8017)] using SHA-256 [[RFC6234](https://tools.ietf.org/html/rfc6234)]) and SHA-256 for the digest header. 
+- The extension works in Burp Suite Professional and in the free Burp Suite Community Edition.
+
+## Usage
+
+### Installation
+
+Download the [latest JAR release](https://github.com/nccgroup/HTTPSignatures/releases/latest) file and add it in Burp Suite through Extender Tab / Extensions / Add.
+
+### Configuration
+
+1. After loading the extension a new *HTTP Signatures* menu item will be added to Burp.
+2. Open the configuration tab (click the *HTTP Signatures* menu item).
+3. The minimum configuration requires the `Header Name`, the ``keyId``, and the `Private key file name and path` to be configured. See below for the detailed description. 
+4. You can now use Burp Proxy, Repeater, Intruder, and Scanner. 
+   The extension will create a new Signature for each request that contains the configured `Header Name`.
+
+### Use
+
+After `HTTPSignatures` has been correctly configured, the Burp Suite extension will replace the HTTP header value configured in the `Header Name` setting (e.g. `Signature`) with a new signature for every HTTP request sent through Burp Proxy, Repeater, Intruder, and Scanner.
+
+![`HTTPSignatures` Configuration](screenshots/config.png)
+
+## Documentation
+
+The Burp Suite extension must be configured before it can be used. 
+The `HTTPSignatures` configuration can be found in the Burp menu after it has been loaded (usually on the right of the Help menu). 
+The `Header Name`, the `keyId`, and the `Private key file name and path` have to be correctly configured for the extension to work.
+The remaining settings can optionally be adjusted.
+
+- **Header Name**: (sample values: `Authorization`, `Signature`): The name of the HTTP request header that includes the signature. 
+The IETF draft is using the `Signature` header name. Oracle Cloud (OCI) is using the `Authorization` header name.
+
+- **keyId**: The `keyId` parameter is a US-ASCII string used by a verifier to identify and/or obtain the signature's verification key.
+Sample values can look like `https://mastodon.example.com/users/myUser` (for ActivityPub) or `ocid1.tenancy.oc1.../ocid1.user.oc1.../{fingerprint}` for OCI.
+
+- **Private key file name and path**: The full path and file name containing the private key (e.g. `/home/${USER}/private_key.pem`).
+- **Digest Header Name**: The name of the header containing the digest. This should be either `x-content-sha256` (for OCI) or `digest` for most other implementations.
+- **Header Names to Sign: GET**: The header names to include for GET requests (e.g. `date (request-target) host`).
+The `(request-target)` value is a special identifier consisting of the request method and the path and query of the request URI (e.g. `get /foo?param=value`).
+- **Header Names to Sign: HEAD**: The header names to include in HEAD requests (e.g. `date (request-target) host`).
+- **Header Names to Sign: DELETE**: The header names to include in DELETE requests (e.g. `date (request-target) host`).
+- **Header Names to Sign: PUT**: The header names to include in PUT requests (e.g. `date (request-target) host content-length content-type digest`).
+- **Header Names to Sign: POST**: The header names to inlcude in POST requets (e.g. `date (request-target) host content-length content-type digest`).
+- **Include query parameters in Signature**: This boolean value specifies if query parameters (e.g. `?param=value`) should be included in the signature. 
+While the draft standard specifies that query parameters are part of the `(request-target)` identifier, not all implementations include query parameters. 
+The default value is `true`.
+- **Include the port in Signature**: Some implementations do not include the port in the host header (e.g. `localhost:8080`). 
+This setting allows to remove the port from the host header value if set to `false`. 
+The default value is `true`.
+
+### Profiles
+
+The `HTTPSignatures` configuration allows to configure multiple profiles in tabs. 
+Create a new tab by clicking on the `...` tab. 
+You can name tabs by double clicking on a tab. 
+To save a tab click the "Save" button. 
+To mark a tab as the active profile, click the "Use this profile" button.
+The **active tab** (profile) is marked with red font and border.
+
+### Global Configuration Settings
+
+The global configuration section contains settings that apply to all profiles.
+
+- **Enable the extension for the following Burp Suite tools**: The extension can be enabled or disabled for the following Burp Suite tools:
+    - Proxy (default: disabled)
+    - Scanner (default: enabled)
+    - Intruder (default: enabled)
+    - Repeater (default: enabled)
+
+    The proxy is disabled be default. The oder tools are enabled by default. The proxy tool should usually only be enabled when using the intercept feature. The extension will not update the signature when it is disabled.
+
+- **Enable Debug Logs**: Enabling this checkbox will print debug logs to the standard output. 
+  The output can be configured in Burp Suite under Extender -> Extensions, then select the *Signing HTTP Messages* extension. 
+  In the *Output* tab you can select where the standard output will be shown. 
+  The default is *Shown in UI* where the output will be displayed within Burp Suite. 
+
+## Example Configurations
+
+### ActivityPub
+
+[ActivityPub](https://www.w3.org/TR/activitypub/) uses HTTP Signatures for [server to server authentication and authorization](https://www.w3.org/wiki/SocialCG/ActivityPub/Authentication_Authorization). 
+
+- Header Name: `Signature`
+- keyId: The keyId should link to the actor so that the publicKey field can be retrieved: `https://mastodon.online/users/viktor`. 
+  You can use `curl` to retrieve the key: `curl https://mastodon.online/users/viktor -H 'Accept: application/activity+json'|jq`
+- Private key file name and path: `/home/user/private_key.pem`
+- Digest Header Name: `digest`
+- Header Names to Sign: GET: `date (request-target) host`
+- Header Names to Sign: HEAD: `date (request-target) host`
+- Header Names to Sign: DELETE: `date (request-target) host`
+- Header Names to Sign: PUT: `date (request-target) host content-length content-type digest`
+- Header Names to Sign: POST: `date (request-target) host content-length content-type digest`
+- Include query parameters in Signature: `true`
+- Include the port in Signature: `true`
+
+### Oracle Cloud Infrastructure (OCI)
+
+All Oracle Cloud Infrastructure (OCI) API requests [require HTTP Signatures](https://docs.cloud.oracle.com/en-us/iaas/Content/API/Concepts/signingrequests.htm). 
+The implementation is based on the draft specification with some modifications.
+
+- Header Name: `Authorization`
+- keyId: `<TENANCY OCID>/<USER OCID>/<KEY FINGERPRINT>`, e.g. `ocid1.tenancy.oc1..<unique_ID>/ocid1.user.oc1..<unique_ID>/<key_fingerprint>`
+- Private key file name and path: `/home/user/private_key.pem`
+- Digest Header Name: `x-content-sha256`
+- Header Names to Sign: GET: `date (request-target) host`
+- Header Names to Sign: HEAD: `date (request-target) host`
+- eader Names to Sign: DELETE: `date (request-target) host`
+- Header Names to Sign: PUT: `date (request-target) host content-length content-type x-content-sha256`
+- Header Names to Sign: POST: `date (request-target) host content-length content-type x-content-sha256`
+- Include query parameters in Signature: `true`
+- Include the port in Signature: `true`
+
+
+## Building with IntelliJ IDEA
+
+1. Clone this repository and *Open or Import* the `HTTPSignatures` folder in IntelliJ IDEA.
+2. Compile the project (Build -> Build Project)
+3. Create a JAR file to import in Burp Suite: Go to File -> Project Structure, select Project Settings -> Artifacts.
+4. Click the plus sign to create a new JAR file "From modules with dependencies" and click OK.
+5. Select the "Include in project build" checkbox to automatically create a JAR file when building the project and click OK.
+6. Build the project again (Ctrl+F9 or ⌘+F9).
+7. The JAR file is created in the project folder at `out/artifacts/HTTPSignatures_jar/HTTPSignatures.jar`.
+8. Load the JAR file in Burp through the Extender Tab -> Extensions -> Add.
+
+## Building on the Command Line using Maven
+
+1. Clone this repository.
+2. Compile the project and create a JAR file with the command `mvn package assembly:single`. 
+3. The JAR file is created in the project folder at `target/HTTPSignatures-1.0-SNAPSHOT-jar-with-dependencies.jar`.
+4. Load the JAR file in Burp through the Extender Tab -> Extensions -> Add.
+
+### Dependencies
+
+Three dependencies are required to build the Java project:
+- Apache HttpClient (https://hc.apache.org/httpcomponents-client-ga/)
+- Tomitribe's HTTP Signatures Java Client (https://github.com/tomitribe/http-signatures-java)
+- Burp Extender API (https://github.com/PortSwigger/burp-extender-api)
+
+

pom.xml

@@ -0,0 +1,50 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <groupId>com.nccgroup.HTTPSignatures</groupId>
+    <artifactId>HTTPSignatures</artifactId>
+    <version>1.0-SNAPSHOT</version>
+    <name>HTTPSignatures</name>
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <version>3.8.1</version>
+                <configuration>
+                    <source>11</source>
+                    <target>11</target>
+                </configuration>
+            </plugin>
+            <plugin>
+                <artifactId>maven-assembly-plugin</artifactId>
+                <version>3.3.0</version>
+                <configuration>
+                    <descriptorRefs>
+                        <descriptorRef>jar-with-dependencies</descriptorRef>
+                    </descriptorRefs>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+    <dependencies>
+        <dependency>
+            <groupId>org.apache.httpcomponents</groupId>
+            <artifactId>httpclient</artifactId>
+            <version>4.5.12</version>
+        </dependency>
+        <dependency>
+            <groupId>org.tomitribe</groupId>
+            <artifactId>tomitribe-http-signatures</artifactId>
+            <version>1.3</version>
+        </dependency>
+        <!-- https://mvnrepository.com/artifact/net.portswigger.burp.extender/burp-extender-api -->
+        <dependency>
+            <groupId>net.portswigger.burp.extender</groupId>
+            <artifactId>burp-extender-api</artifactId>
+            <version>2.1</version>
+        </dependency>
+    </dependencies>
+</project>

screenshots/config.png

@@ -0,0 +1,66 @@
+package burp;
+
+import javax.swing.*;
+
+public class BurpExtender implements IBurpExtender, IHttpListener {
+    private IExtensionHelpers helpers;
+
+    public void registerExtenderCallbacks (IBurpExtenderCallbacks callbacks) {
+        new Signing(callbacks);
+        callbacks.setExtensionName("Signing HTTP Messages");
+        this.helpers = callbacks.getHelpers();
+        SwingUtilities.invokeLater(new ConfigMenu());
+
+        // register ourselves as an HTTP listener (any burp tool)
+        callbacks.registerHttpListener(BurpExtender.this);
+        
+        // Set the debug flag from the settings
+        if ( Signing.callbacks.loadExtensionSetting("debug") != null &&
+                Signing.callbacks.loadExtensionSetting("debug").equals("true") ) {
+            Signing.DEBUG = true;
+        }
+    }
+
+    /**
+     * This method is invoked when an HTTP request is about to be issued, and
+     * when an HTTP response has been received.
+     *
+     * @param toolFlag A flag indicating the Burp tool that issued the request.
+     * Burp tool flags are defined in the
+     * <code>IBurpExtenderCallbacks</code> interface.
+     * @param messageIsRequest Flags whether the method is being invoked for a
+     * request or response.
+     * @param messageInfo Details of the request / response to be processed.
+     * Extensions can call the setter methods on this object to update the
+     * current message and so modify Burp's behavior.
+     */
+    @Override
+    public void processHttpMessage(int toolFlag, boolean messageIsRequest, IHttpRequestResponse messageInfo) {
+
+        // Process only requests (and not responses)
+        if (!messageIsRequest) {
+            return;
+        }
+
+        // Check if this extension is enabled for the current Burp tool request
+        if (Signing.enabledForTool(toolFlag)) {
+
+            // if there is no active key, do not sign this request
+            if (Signing.callbacks.loadExtensionSetting("ActiveKey") == null) {
+                return;
+            }
+
+            IRequestInfo request = helpers.analyzeRequest(messageInfo.getRequest());
+            java.util.List<String> headers = request.getHeaders();
+            String profileValues = Signing.callbacks.loadExtensionSetting("ActiveKey");
+            // get the header value (first element) from profileValues
+            String[] valuesParts = profileValues.split(";");
+            String header = valuesParts[0].toLowerCase();
+
+            // Process only requests containing an HTTP header starting with the configured header name (e.g. Authorization, Signature)
+            if (headers.stream().anyMatch((str -> str.trim().toLowerCase().contains(header)))) {
+                messageInfo.setRequest(Signing.signRequest(messageInfo));
+            }
+        }
+    }
+}

src/main/java/burp/BurpExtender.java

@@ -0,0 +1,53 @@
+package burp;
+
+import javax.swing.*;
+import javax.swing.event.MenuEvent;
+import javax.swing.event.MenuListener;
+import java.awt.event.MouseAdapter;
+import java.awt.event.MouseEvent;
+
+class ConfigMenu implements Runnable, MenuListener, IExtensionStateListener {
+    private JMenu menuButton;
+
+    ConfigMenu() {
+        Signing.callbacks.registerExtensionStateListener(this);
+    }
+
+    public void run() {
+        menuButton = new JMenu("HTTP Signatures");
+        menuButton.addMouseListener(new MouseAdapter() {
+            @Override
+            public void mouseClicked(MouseEvent e) {
+                SwingUtilities.invokeLater(new Runnable() {
+                    public void run() {
+                        Signing.globalSettings.showSettings();
+                    }
+                });
+            }
+        });
+        JMenuBar burpMenuBar = ConfigSettings.getBurpFrame().getJMenuBar();
+        if (burpMenuBar == null) {
+            Signing.callbacks.printError("Unable to add HTTP Signatures menu button.");
+        } else {
+            burpMenuBar.add(menuButton);
+        }
+    }
+
+    public void menuSelected(MenuEvent e) {
+        SwingUtilities.invokeLater(new Runnable() {
+            public void run() {
+                Signing.globalSettings.showSettings();
+            }
+        });
+    }
+
+    public void menuDeselected(MenuEvent e) {
+    }
+
+    public void menuCanceled(MenuEvent e) {
+    }
+
+    public void extensionUnloaded() {
+        ConfigSettings.getBurpFrame().getJMenuBar().remove(menuButton);
+    }
+}