Home

Awesome

HTTPSignatures Burp Suite Extension

HTTPSignatures is a Burp Suite extension that implements the Signing HTTP Messages draft-ietf-httpbis-message-signatures-01 specification draft document. This allows Burp Suite users to seamlessly test applications that require HTTP Signatures.

Features

Usage

Installation

Download the latest JAR release file and add it in Burp Suite through Extender Tab / Extensions / Add.

Configuration

  1. After loading the extension a new HTTP Signatures menu item will be added to Burp.
  2. Open the configuration tab (click the HTTP Signatures menu item).
  3. The minimum configuration requires the Header Name, the keyId, and the Private key file name and path to be configured. See below for the detailed description.
  4. You can now use Burp Proxy, Repeater, Intruder, and Scanner. The extension will create a new Signature for each request that contains the configured Header Name.

Usage

After HTTPSignatures has been correctly configured, the Burp Suite extension will replace the HTTP header value configured in the Header Name setting (e.g. Signature) with a new signature for every HTTP request sent through Burp Proxy, Repeater, Intruder, and Scanner.

HTTPSignatures Configuration

Documentation

The Burp Suite extension must be configured before it can be used. The HTTPSignatures configuration can be found in the Burp menu after it has been loaded (usually on the right of the Help menu). The Header Name, the keyId, and the Private key file name and path have to be correctly configured for the extension to work. The remaining settings can optionally be adjusted.

Profiles

The HTTPSignatures configuration allows to configure multiple profiles in tabs. Create a new tab by clicking on the ... tab. You can name tabs by double clicking on a tab. To save a tab click the "Save" button. To mark a tab as the active profile, click the "Use this profile" button. The active tab (profile) is marked with red font and border.

Global Configuration Settings

The global configuration section contains settings that apply to all profiles.

Example Configurations

ActivityPub

ActivityPub uses HTTP Signatures for server to server authentication and authorization.

Oracle Cloud Infrastructure (OCI)

All Oracle Cloud Infrastructure (OCI) API requests require HTTP Signatures. The implementation is based on the draft specification with some modifications.

Building with IntelliJ IDEA

  1. Clone this repository and Open or Import the HTTPSignatures folder in IntelliJ IDEA.
  2. Compile the project (Build -> Build Project)
  3. Create a JAR file to import in Burp Suite: Go to File -> Project Structure, select Project Settings -> Artifacts.
  4. Click the plus sign to create a new JAR file "From modules with dependencies" and click OK.
  5. Select the "Include in project build" checkbox to automatically create a JAR file when building the project and click OK.
  6. Build the project again (Ctrl+F9 or ⌘+F9).
  7. The JAR file is created in the project folder at out/artifacts/HTTPSignatures_jar/HTTPSignatures.jar.
  8. Load the JAR file in Burp through the Extender Tab -> Extensions -> Add.

Building on the Command Line using Maven

  1. Clone this repository.
  2. Compile the project and create a JAR file with the command mvn package assembly:single.
  3. The JAR file is created in the project folder at target/HTTPSignatures-1.0-SNAPSHOT-jar-with-dependencies.jar.
  4. Load the JAR file in Burp through the Extender Tab -> Extensions -> Add.

Dependencies

Three dependencies are required to build the Java project: