Add Intruder signing algorithm to config.

DolphFlynn · Feb 15, 2024 · 91f8726 · 91f8726
1 parent 155482c
commit 91f8726
Show file tree

Hide file tree

Showing 4 changed files with 54 additions and 10 deletions.
diff --git a/src/main/java/burp/config/BurpConfigPersistence.java b/src/main/java/burp/config/BurpConfigPersistence.java
@@ -24,6 +24,7 @@
 import burp.proxy.HighlightColor;
 import burp.proxy.ProxyConfig;
 import burp.scanner.ScannerConfig;
+import com.nimbusds.jose.JWSAlgorithm;
 import org.json.JSONException;
 import org.json.JSONObject;
 
@@ -36,6 +37,7 @@ public class BurpConfigPersistence {
     private static final String INTRUDER_FUZZ_PARAMETER_NAME = "intruder_payload_processor_parameter_name";
     private static final String INTRUDER_FUZZ_RESIGNING = "intruder_payload_processor_resign";
     private static final String INTRUDER_FUZZ_SIGNING_KEY_ID = "intruder_payload_processor_signing_key_id";
+    private static final String INTRUDER_FUZZ_SIGNING_ALGORITHM = "intruder_payload_processor_signing_algorithm";
     private static final String SCANNER_INSERTION_POINT_PROVIDER_ENABLED_KEY = "scanner_insertion_point_provider_enabled";
     private static final String SCANNER_INSERTION_PARAMETER_NAME = "scanner_insertion_point_provider_parameter_name";
 
@@ -77,6 +79,11 @@ public BurpConfig loadOrCreateNew() {
                     intruderConfig.setSigningKeyId(keyId);
                 }
 
+                if (parsedObject.has(INTRUDER_FUZZ_SIGNING_ALGORITHM) && parsedObject.get(INTRUDER_FUZZ_SIGNING_ALGORITHM) instanceof String algorithm) {
+                    JWSAlgorithm jwsAlgorithm = JWSAlgorithm.parse(algorithm);
+                    intruderConfig.setSigningAlgorithm(jwsAlgorithm);
+                }
+
                 if (parsedObject.has(INTRUDER_FUZZ_RESIGNING) && parsedObject.get(INTRUDER_FUZZ_RESIGNING) instanceof Boolean resign) {
                     intruderConfig.setResign(resign);
                 }
@@ -107,6 +114,11 @@ public void save(BurpConfig model) {
         burpConfigJson.put(INTRUDER_FUZZ_PARAMETER_TYPE, model.intruderConfig().fuzzLocation());
         burpConfigJson.put(INTRUDER_FUZZ_RESIGNING, model.intruderConfig().resign());
         burpConfigJson.put(INTRUDER_FUZZ_SIGNING_KEY_ID, model.intruderConfig().signingKeyId());
+
+        JWSAlgorithm signingAlgorithm = model.intruderConfig().signingAlgorithm();
+        String signingAlgorithmName = signingAlgorithm == null ? null : signingAlgorithm.getName();
+        burpConfigJson.put(INTRUDER_FUZZ_SIGNING_ALGORITHM, signingAlgorithmName);
+
         burpConfigJson.put(SCANNER_INSERTION_POINT_PROVIDER_ENABLED_KEY, model.scannerConfig().enableHeaderJWSInsertionPointLocation());
         burpConfigJson.put(SCANNER_INSERTION_PARAMETER_NAME, model.scannerConfig().insertionPointLocationParameterName());
 

diff --git a/src/main/java/burp/intruder/IntruderConfig.java b/src/main/java/burp/intruder/IntruderConfig.java
@@ -18,13 +18,16 @@
 
 package burp.intruder;
 
+import com.nimbusds.jose.JWSAlgorithm;
+
 import static burp.intruder.FuzzLocation.PAYLOAD;
 import static org.apache.commons.lang3.StringUtils.isNotEmpty;
 
 public class IntruderConfig {
     private String fuzzParameter;
     private FuzzLocation fuzzLocation;
     private String signingKeyId;
+    private JWSAlgorithm signingAlgorithm;
     private boolean resign;
 
     public IntruderConfig() {
@@ -54,18 +57,27 @@ public String signingKeyId() {
 
     public void setSigningKeyId(String signingKeyId) {
         this.signingKeyId = signingKeyId;
-        this.resign = resign && isSigningKeyIdValid();
+        this.resign = resign && canSign();
     }
 
     public boolean resign() {
         return resign;
     }
 
     public void setResign(boolean resign) {
-        this.resign = resign && isSigningKeyIdValid();
+        this.resign = resign && canSign();
+    }
+
+    public JWSAlgorithm signingAlgorithm() {
+        return signingAlgorithm;
+    }
+
+    public void setSigningAlgorithm(JWSAlgorithm signingAlgorithm) {
+        this.signingAlgorithm = signingAlgorithm;
+        this.resign = resign && canSign();
     }
 
-    private boolean isSigningKeyIdValid() {
-        return isNotEmpty(signingKeyId);
+    private boolean canSign() {
+        return isNotEmpty(signingKeyId) && signingAlgorithm != null;
     }
 }
diff --git a/src/test/java/burp/config/BurpConfigPersistenceTest.java b/src/test/java/burp/config/BurpConfigPersistenceTest.java
@@ -21,6 +21,7 @@
 import burp.api.montoya.persistence.Preferences;
 import burp.intruder.FuzzLocation;
 import burp.proxy.HighlightColor;
+import com.nimbusds.jose.JWSAlgorithm;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.Arguments;
@@ -34,6 +35,8 @@
 import static burp.proxy.HighlightColor.CYAN;
 import static burp.proxy.HighlightColor.RED;
 import static burp.proxy.ProxyConfig.DEFAULT_HIGHLIGHT_COLOR;
+import static com.nimbusds.jose.JWSAlgorithm.ES256;
+import static com.nimbusds.jose.JWSAlgorithm.EdDSA;
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.junit.jupiter.params.provider.Arguments.arguments;
 import static org.mockito.Mockito.*;
@@ -230,35 +233,39 @@ private static Stream<Arguments> validIntruderConfigJson() {
                         HEADER,
                         "sub",
                         false,
+                        null,
                         null
                 ),
                 arguments(
                         "{\"intruder_payload_processor_fuzz_location\":\"payload\",\"intruder_payload_processor_parameter_name\":\"role\"}",
                         PAYLOAD,
                         "role",
                         false,
+                        null,
                         null
                 ),
                 arguments(
-                        "{\"intruder_payload_processor_fuzz_location\":\"header\",\"intruder_payload_processor_parameter_name\":\"sub\",\"intruder_payload_processor_resign\":true, \"intruder_payload_processor_signing_key_id\": \"uuid\"}",
+                        "{\"intruder_payload_processor_fuzz_location\":\"header\",\"intruder_payload_processor_parameter_name\":\"sub\",\"intruder_payload_processor_resign\":true, \"intruder_payload_processor_signing_key_id\": \"uuid\", \"intruder_payload_processor_signing_algorithm\": \"EdDSA\"}",
                         HEADER,
                         "sub",
                         true,
-                        "uuid"
+                        "uuid",
+                        EdDSA
                 ),
                 arguments(
-                        "{\"intruder_payload_processor_fuzz_location\":\"header\",\"intruder_payload_processor_parameter_name\":\"sub\",\"intruder_payload_processor_signing_key_id\":\"131da5fb-8484-4717-b0d2-b79925978596\"}",
+                        "{\"intruder_payload_processor_fuzz_location\":\"header\",\"intruder_payload_processor_parameter_name\":\"sub\",\"intruder_payload_processor_signing_key_id\":\"131da5fb-8484-4717-b0d2-b79925978596\", \"intruder_payload_processor_signing_algorithm\": \"ES256\"}",
                         HEADER,
                         "sub",
                         false,
-                        "131da5fb-8484-4717-b0d2-b79925978596"
+                        "131da5fb-8484-4717-b0d2-b79925978596",
+                        ES256
                 )
         );
     }
 
     @ParameterizedTest
     @MethodSource("validIntruderConfigJson")
-    void givenValidIntruderSavedConfig_whenLoadOrCreateCalled_thenAppropriateConfigReturned(String json, FuzzLocation expectedLocation, String expectedParameterName, boolean expectedResign, String expectedSigningKeyId) {
+    void givenValidIntruderSavedConfig_whenLoadOrCreateCalled_thenAppropriateConfigReturned(String json, FuzzLocation expectedLocation, String expectedParameterName, boolean expectedResign, String expectedSigningKeyId, JWSAlgorithm expectedSigningAlgorithm) {
         BurpConfigPersistence configPersistence = new BurpConfigPersistence(callbacks);
         when(callbacks.getString(BURP_SETTINGS_NAME)).thenReturn(json);
 
@@ -270,6 +277,7 @@ void givenValidIntruderSavedConfig_whenLoadOrCreateCalled_thenAppropriateConfigR
         assertThat(burpConfig.intruderConfig().fuzzParameter()).isEqualTo(expectedParameterName);
         assertThat(burpConfig.intruderConfig().resign()).isEqualTo(expectedResign);
         assertThat(burpConfig.intruderConfig().signingKeyId()).isEqualTo(expectedSigningKeyId);
+        assertThat(burpConfig.intruderConfig().signingAlgorithm()).isEqualTo(expectedSigningAlgorithm);
     }
 
     @Test

diff --git a/src/test/java/burp/config/IntruderConfigTest.java b/src/test/java/burp/config/IntruderConfigTest.java
@@ -21,6 +21,7 @@
 import burp.intruder.IntruderConfig;
 import org.junit.jupiter.api.Test;
 
+import static com.nimbusds.jose.JWSAlgorithm.HS256;
 import static org.assertj.core.api.Assertions.assertThat;
 
 class IntruderConfigTest {
@@ -45,12 +46,23 @@ void givenEmptyKeyID_whenResignIsSetTrue_thenResignIsFalse() {
     }
 
     @Test
-    void givenValidKeyID_whenResignIsSetTrue_thenResignIsTrue() {
+    void givenValidKeyIDAndNullSigningAlgorithm_whenResignIsSetTrue_thenResignIsFalse() {
         IntruderConfig config = new IntruderConfig();
         config.setSigningKeyId("keyID");
 
         config.setResign(true);
 
+        assertThat(config.resign()).isFalse();
+    }
+
+    @Test
+    void givenValidKeyIDAndNonNullSigningAlgorithm_whenResignIsSetTrue_thenResignIsTrue() {
+        IntruderConfig config = new IntruderConfig();
+        config.setSigningKeyId("keyID");
+        config.setSigningAlgorithm(HS256);
+
+        config.setResign(true);
+
         assertThat(config.resign()).isTrue();
     }