Home

Awesome

AWSSigner

Burp Extension for AWS SigV4 Signing

Create a profile in the extension's tab to specify which credentials should be used when signing the request.

The extension will check each request passing through Burp. If the request has both the "X-Amz-Date" and "Authorization" header, the request will be re-signed with the specified profile's credentials, and the headers updated.

AWS Signer

Example Request

The extension takes an existing SigV4 request and updates the Authorization and X-AMZ-Date headers.

Here's an example of a SigV4 request that the extension will update:

GET /?Param1=value1 HTTP/1.1
Host: example.amazonaws.com
Content-Type: application/x-www-form-urlencoded; charset=utf-8
X-Amz-Date: 20150830T123600Z
Authorization: AWS4-HMAC-SHA256 Credential=AKIAIOSFODNN7EXAMPLE/20190101/us-west-1/test/request, SignedHeaders=content-type;host;x-amz-date, Signature=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

More information about Sigv4 can be found here:

Extension Tab Interface

The extension's configuration is accessible in Burp Suite under the "AWS Signer" tab. This tab is available in Burp Suite when the extension is added and loaded.

Global Settings

These settings influence the entire extension's behavior. The settings include:

Global Settings

Profile Management

This panel adds/removes profiles. The following buttons are available:

Profile Management

Profile Import

After clicking the profile import button, a pop-up window allows you to import profiles. Click one of the Source buttons to bring in profiles:

After sourcing the profiles, use the checkboxes to select which profiles to import into the extension.

Profile Import

Profile Configuration

The following settings are available for every profile, regardless of its type:

Test Profile Credentials Button

This button can be used to test a profile's credentials and ensure they are valid. The credentials are tested by signing a GetCallerIdentity request and ensuring a successful response. The success or failure is reported in the Status field above.

Profile Configuration

Profile Types

There are three types of profiles supported by the extension:

  1. Static Credentials: An access key and secret key, with an optional session token.
  2. AssumeRole: The extension will assume a specified role and use the credentials returned. To assume the role, the user must specify another "assumer" profile which will provide credentials required to assume the specified role.
  3. Command: The extension will execute the specified shell command and parse an access key, a secret key and (optionally) a session token.

Static Credentials Profile

The user must provide an access key and a secret key. The session token is optional.

AssumeRole Profile

The user must provide a role ARN which specifies the role to be assumed. The user must also provide credentials to assume this role. These credentials are provided through an "assumer" profile. This allows chaining multiple profiles and roles together when required.

The user may provide the following. See this API documentation for further details.

AssumeRole Profile Configuration

Command Profile

The user must provide a command to be executed which will return AWS credentials in the form of an access key, secret key and (optionally) session token. The command will be executed using either cmd (Windows) or sh (non-Windows). The extension will attempt to parse the credentials from the command's stdout output. The output does not have a set format, and the credential extraction is based on pattern matching.

The user may provide a Duration. The duration is the lifetime of the credentials (in seconds). The extension will cache the credentials automatically and re-use them when valid. If the duration is set to 0, the credentials will not be cached and the command will be executed for each request that must be signed with the profile.

The extracted credentials show the most recently extracted credentials retrieved by pressing the Test Profile Credentials button. This is intended for debugging purposes.

Command Profile Configuration

Context Menu

The extension can be configured by the user while editing a request. Right-click within the request, hover the cusor over Extensions, and then over AWS Signer. The following configuration is available from this location:

  1. Enable/Disable Signing: Signing can be enabled or disabled entirely.
  2. Set Default Signing Profile: The default signing profile can be selected or unset here.

Context Menu

Download

The most recent JAR file can be found in the releases https://github.com/NetSPI/AWSSigner/releases

Build

  1. git clone https://github.com/NetSPI/AWSSigner.git
  2. Install gradle for your distribution (https://gradle.org/install/)
  3. cd AWSSigner
  4. gradle build
  5. Jar file will be in the build/libs directory