HTTPSignatures
is a Burp Suite extension that implements the Signing HTTP Messages draft-ietf-httpbis-message-signatures-01
specification draft document.
This allows Burp Suite users to seamlessly test applications that require HTTP Signatures.
- Automatically creates a new signature and digest in Burp Repeater, Intruder, and Scanner when the extension detects an existing HTTP Signature header.
- Supports the
rsa-sha256
algorithm for signing messages (RSASSA-PKCS1-v1_5
[RFC8017] using SHA-256 [RFC6234]) and SHA-256 for the digest header. - The extension works in Burp Suite Professional and in the free Burp Suite Community Edition.
Download the latest JAR release file and add it in Burp Suite through Extender Tab / Extensions / Add.
- After loading the extension a new HTTP Signatures menu item will be added to Burp.
- Open the configuration tab (click the HTTP Signatures menu item).
- The minimum configuration requires the
Header Name
, thekeyId
, and thePrivate key file name and path
to be configured. See below for the detailed description. - You can now use Burp Proxy, Repeater, Intruder, and Scanner.
The extension will create a new Signature for each request that contains the configured
Header Name
.
After HTTPSignatures
has been correctly configured, the Burp Suite extension will replace the HTTP header value configured in the Header Name
setting (e.g. Signature
) with a new signature for every HTTP request sent through Burp Proxy, Repeater, Intruder, and Scanner.
The Burp Suite extension must be configured before it can be used.
The HTTPSignatures
configuration can be found in the Burp menu after it has been loaded (usually on the right of the Help menu).
The Header Name
, the keyId
, and the Private key file name and path
have to be correctly configured for the extension to work.
The remaining settings can optionally be adjusted.
-
Header Name: (sample values:
Authorization
,Signature
): The name of the HTTP request header that includes the signature. The IETF draft is using theSignature
header name. Oracle Cloud (OCI) is using theAuthorization
header name. -
keyId: The
keyId
parameter is a US-ASCII string used by a verifier to identify and/or obtain the signature's verification key. Sample values can look likehttps://mastodon.example.com/users/myUser
(for ActivityPub) orocid1.tenancy.oc1.../ocid1.user.oc1.../{fingerprint}
for OCI. -
Private key file name and path: The full path and file name containing the private key (e.g.
/home/${USER}/private_key.pem
). -
Digest Header Name: The name of the header containing the digest. This should be either
x-content-sha256
(for OCI) ordigest
for most other implementations. -
Header Names to Sign: GET: The header names to include for GET requests (e.g.
date (request-target) host
). The(request-target)
value is a special identifier consisting of the request method and the path and query of the request URI (e.g.get /foo?param=value
). -
Header Names to Sign: HEAD: The header names to include in HEAD requests (e.g.
date (request-target) host
). -
Header Names to Sign: DELETE: The header names to include in DELETE requests (e.g.
date (request-target) host
). -
Header Names to Sign: PUT: The header names to include in PUT requests (e.g.
date (request-target) host content-length content-type digest
). -
Header Names to Sign: POST: The header names to inlcude in POST requets (e.g.
date (request-target) host content-length content-type digest
). -
Include query parameters in Signature: This boolean value specifies if query parameters (e.g.
?param=value
) should be included in the signature. While the draft standard specifies that query parameters are part of the(request-target)
identifier, not all implementations include query parameters. The default value istrue
. -
Include the port in Signature: Some implementations do not include the port in the host header (e.g.
localhost:8080
). This setting allows to remove the port from the host header value if set tofalse
. The default value istrue
.
The HTTPSignatures
configuration allows to configure multiple profiles in tabs.
Create a new tab by clicking on the ...
tab.
You can name tabs by double clicking on a tab.
To save a tab click the "Save" button.
To mark a tab as the active profile, click the "Use this profile" button.
The active tab (profile) is marked with red font and border.
The global configuration section contains settings that apply to all profiles.
-
Enable the extension for the following Burp Suite tools: The extension can be enabled or disabled for the following Burp Suite tools:
- Proxy (default: disabled)
- Scanner (default: enabled)
- Intruder (default: enabled)
- Repeater (default: enabled)
The proxy is disabled by default. The other tools are enabled by default. The proxy tool should usually only be enabled when using the intercept feature. The extension will not update the signature when it is disabled.
-
Enable Debug Logs: Enabling this checkbox will print debug logs to the standard output. The output can be configured in Burp Suite under Extender -> Extensions, then select the Signing HTTP Messages extension. In the Output tab you can select where the standard output will be shown. The default is Shown in UI where the output will be displayed within Burp Suite.
ActivityPub uses HTTP Signatures for server to server authentication and authorization.
- Header Name:
Signature
- keyId: The keyId should link to the actor so that the publicKey field can be retrieved:
https://mastodon.online/users/viktor
. You can usecurl
to retrieve the key:curl https://mastodon.online/users/viktor -H 'Accept: application/activity+json'|jq
- Private key file name and path:
/home/user/private_key.pem
- Digest Header Name:
digest
- Header Names to Sign: GET:
date (request-target) host
- Header Names to Sign: HEAD:
date (request-target) host
- Header Names to Sign: DELETE:
date (request-target) host
- Header Names to Sign: PUT:
date (request-target) host content-length content-type digest
- Header Names to Sign: POST:
date (request-target) host content-length content-type digest
- Include query parameters in Signature:
true
- Include the port in Signature:
true
All Oracle Cloud Infrastructure (OCI) API requests require HTTP Signatures. The implementation is based on the draft specification with some modifications.
- Header Name:
Authorization
- keyId:
<TENANCY OCID>/<USER OCID>/<KEY FINGERPRINT>
, e.g.ocid1.tenancy.oc1..<unique_ID>/ocid1.user.oc1..<unique_ID>/<key_fingerprint>
- Private key file name and path:
/home/user/private_key.pem
- Digest Header Name:
x-content-sha256
- Header Names to Sign: GET:
date (request-target) host
- Header Names to Sign: HEAD:
date (request-target) host
- Header Names to Sign: DELETE:
date (request-target) host
- Header Names to Sign: PUT:
date (request-target) host content-length content-type x-content-sha256
- Header Names to Sign: POST:
date (request-target) host content-length content-type x-content-sha256
- Include query parameters in Signature:
true
- Include the port in Signature:
true
- Clone this repository and Open or Import the
HTTPSignatures
folder in IntelliJ IDEA. - Compile the project (Build -> Build Project)
- Create a JAR file to import in Burp Suite: Go to File -> Project Structure, select Project Settings -> Artifacts.
- Click the plus sign to create a new JAR file "From modules with dependencies" and click OK.
- Select the "Include in project build" checkbox to automatically create a JAR file when building the project and click OK.
- Build the project again (Ctrl+F9 or ⌘+F9).
- The JAR file is created in the project folder at
out/artifacts/HTTPSignatures_jar/HTTPSignatures.jar
. - Load the JAR file in Burp through the Extender Tab -> Extensions -> Add.
- Clone this repository.
- Compile the project and create a JAR file with the command
mvn package assembly:single
. - The JAR file is created in the project folder at
target/HTTPSignatures-1.0-SNAPSHOT-jar-with-dependencies.jar
. - Load the JAR file in Burp through the Extender Tab -> Extensions -> Add.
Three dependencies are required to build the Java project:
- Apache HttpClient (https://hc.apache.org/httpcomponents-client-ga/)
- Tomitribe's HTTP Signatures Java Client (https://github.com/tomitribe/http-signatures-java)
- Burp Extender API (https://github.com/PortSwigger/burp-extender-api)