JOSEPH is a Burp Suite extension and has been developed as part of a master thesis by Dennis Detering at the Ruhr-University Bochum in cooperation with the Spike Reply GmbH (formerly CSPi GmbH).
- Recognition and marking
- JWS/JWE editors
- (Semi-)Automated attacks
- Bleichenbacher MMA
- Key Confusion (aka Algorithm Substitution)
- Signature Exclusion
- Base64url en-/decoder
- Easy extensibility of new attacks
This Burp Suite extension can be downloaded directly from the BApp Store JSON Web Token Attacker
To compile the JOSEPH extension from source, it is necessary to have Apache Maven installed and to run the following command:
$ mvn clean package
To skip the (unit) tests, use the following command:
$ mvn clean package -DskipTests
If the Oracle JDK is installed, the used Bouncy Castle JCE provider dependency is not allowed to be loaded from within a newly compiled fat-JAR, as it breaks the needed signature integrity check.
When performing the Bleichenbacher attack without Bouncy Castle being correctly loaded, the following error will occur:
[BleichenbacherPkcs1Info]: Error during key encryption: Cannot find any provider supporting RSA/NONE/NoPadding
If this issue arises, please perform the following step(s):
-
Copy the Bouncy Castle JAR-file
bcprov-jdk15on-1.54.jar
from JOSEPH'slib
folder into the/[PATH_TO_JVM]/jre/lib/ext
directory. -
In some cases, it is necessary to additionally amend the
/[PATH_TO_JVM]/jre/lib/security/java.security
file and add the following line (preferably directly below the other provider definitions):security.provider.9=org.bouncycastle.jce.provider.BouncyCastleProvider
. The9
in this case specifies the priority and should be adjusted to fit into existing definitions.
Alternatively, use target/JOSEPH-1.0.2.jar
and load the target/lib
folder to your Java Environment under Extender/Options
.