Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Bug: JWT Editor , Sign Dialog broke. Can't apply Key to edited JWT

Mike | Last updated: Dec 21, 2022 06:37PM UTC

steps to repro Environment Kali, latest Install latest JWT Editor (as of 12/21/2022 from the baapps store) Download LATEST Burp Pro Jar (12/21.2022) and configure to run it Java installed: Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true java 17.0.5 2022-10-18 LTS Steps to reproduce ------------------------- Do the JWT Lab "JWT authentication bypass via weak signing key" Send Request to Repeater Create a new Signature key in Repeater, select JSON Web Token Tab Change the user name in the payload part of editor Click "Sign" button, dialog will appear to select signing key. Select the key to use Attempt to click OK. Nothing happens... Hit Enter on keyboard nothing happens. Click OK again..nothing happens. Click Cancel, dialog is cancelled For some reason the 'OK action doesn't work at all.

Mike | Last updated: Dec 22, 2022 03:53PM UTC

more info about system --------------------------------------------------------------------------------------------------------- SYSTEM PROPERTIES --------------------------------------------------------------------------------------------------------- awt.useSystemAAFontSettings on com.sun.net.ssl.requireCloseNotify false file.encoding UTF-8 file.separator / flatlaf.uiScale.enabled false java.class.path /opt/burp/burp.jar java.class.version 61.0 java.home /usr/lib/jvm/jdk-17 java.io.tmpdir /tmp java.library.path /usr/java/packages/lib:/usr/lib64:/lib64:/lib:/usr/lib java.runtime.name Java(TM) SE Runtime Environment java.runtime.version 17.0.5+9-LTS-191 java.specification.name Java Platform API Specification java.specification.vendor Oracle Corporation java.specification.version 17 java.vendor Oracle Corporation java.vendor.url https://java.oracle.com/ java.vendor.url.bug https://bugreport.java.com/bugreport/ java.version 17.0.5 java.version.date 2022-10-18 java.vm.compressedOopsMode Zero based java.vm.info mixed mode, sharing java.vm.name Java HotSpot(TM) 64-Bit Server VM java.vm.specification.name Java Virtual Machine Specification java.vm.specification.vendor Oracle Corporation java.vm.specification.version 17 java.vm.vendor Oracle Corporation java.vm.version 17.0.5+9-LTS-191 jdk.debug release jdk.tls.allowUnsafeServerCertChange true jdk.tls.maxCertificateChainLength 30 native.encoding UTF-8 org.bouncycastle.jsse.client.dh.minimumPrimeBits 1024 org.bouncycastle.jsse.client.dh.unrestrictedGroups true os.arch amd64 os.name Linux os.version 6.0.0-kali6-amd64 path.separator : sun.arch.data.model 64 sun.awt.enableExtraMouseButtons true sun.boot.library.path /usr/lib/jvm/jdk-17/lib sun.cpu.endian little sun.font.fontmanager sun.awt.X11FontManager sun.io.unicode.encoding UnicodeLittle sun.java.command /opt/burp/burp.jar sun.java.launcher SUN_STANDARD sun.jnu.encoding UTF-8 sun.management.compiler HotSpot 64-Bit Tiered Compilers swing.aatext true user.country US user.dir /home/kali/Desktop user.home /home/kali user.language en user.name kali user.timezone America/Los_Angeles

Michelle, PortSwigger Agent | Last updated: Dec 22, 2022 03:55PM UTC

We've been running tests with this here, and using the steps you describe, I'm afraid we've not yet been able to replicate the problem. Is this the only extension you have enabled when you see this issue? Could you email support@portswigger.net with the following so we can try and check what else could be different about our tests? - The full output of Help -> Diagnostics - Results of the same test if you only have the JWT Editor extension installed - A screen recording showing the issue

Mike | Last updated: Dec 22, 2022 05:05PM UTC

@Michelle Thanks for getting back to me. I was able to solve this after playing around with JDKs. From what I see this issue is caused by the JDK in use. If I run with OPEN JDK 17, I'm not seeing the issue java --version Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true openjdk 17.0.5 2022-10-18 OpenJDK Runtime Environment (build 17.0.5+8-Debian-2) OpenJDK 64-Bit Server VM (build 17.0.5+8-Debian-2, mixed mode, sharing) if I run with **ORACLE** JDK 17 (or 19) I get the issue. java --version Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true java 17.0.5 2022-10-18 LTS Java(TM) SE Runtime Environment (build 17.0.5+9-LTS-191) Java HotSpot(TM) 64-Bit Server VM (build 17.0.5+9-LTS-191, mixed mode, sharing) Hope this helps, I'm no longer blocked. Mike

Michelle, PortSwigger Agent | Last updated: Dec 22, 2022 05:07PM UTC

Thanks for the update :)

Mike | Last updated: Dec 30, 2022 05:15PM UTC

I still would like to use the oracle JDK and at some point I'll give it another try, but my thoughts / guess is that the JWT Editor probably needs to be rebuilt using a newer JDK at some point. When I looked inside the extension. I believe (if my memory serves) it was last compiled for java 8. Something to think about or pass along to whomever looks over these extensions.

Nishant | Last updated: Jan 16, 2023 06:46PM UTC

Thanks, installing OpenJDK 17.0.5 solved the problem.

Liam, PortSwigger Agent | Last updated: Jan 17, 2023 07:55AM UTC