Browse by type
SignSaboteur is a Burp Suite extension for editing, signing, verifying, and attacking signed tokens. It supports different types of tokens: Django TimestampSigner, ItsDangerous Signer, Express cookie-session middleware, OAuth2 Proxy, Tornado’s signed cookies, Ruby Rails Signed cookies, Ruby Rails Encrypted cookies, Nimbus JOSE + JWT and Unknown signed string.
You can find more information about the extension on the Portswigger Research blog post page - Introducing SignSaboteur: forge signed web tokens with ease.
It provides automatic detection and in-line editing of token within HTTP requests/responses and WebSocket messages, signing of tokens and automation of brute force attacks against signed tokens implementations.
It was inspired by Fraser Winterborn and Dolph Flynn JWT Token extension. The original source code can be found here and here.
./gradlew jarsign-saboteur-1.0.6.jar within the build/libs directoryExtensions tab, Installed sub-tab, clicking Add and loading
the JAR file
The Wordlist View allows to import secrets and salts list files. Extension has own prebuild dictionary lists. Most
secrets are taken from jwt-secrets. As an
option, Flask-Unsign-Wordlist can be used. Extension supports JSON
strings format for special chars, to use it quot the secret string with ".

The Editor View supports a number of signed tokens: Django, Dangerous, Flask, Express, OAuth2 and Tornado. It allows
modification of the signed tokens at Burp Suite's HTTP Request/Response view in the Proxy, History and Repeater tools.
The Dangerous tab can be used for both, Flask and Django tokens, which are selected depending on whether a Dangerous
or Django token is detected.
The Unknown tab can be used to brute force unknown signed strings. Guessing mode works only with Balanced and Deep brute force attacks. It supports different message derivation technics, including:

A JSON text editor is provided to edit each component that contain JSON content:
A timestamp editor is provided to edit each component that contain it:
A hex editor is provided to all signed tokens, except Express signatures. NOTE Express Tab doesn't support signature auto update yet. Please copy it manually to corresponding signature cookie.
Sign presents a signing dialog that can be used to update the Signature by signing the token using a key from
the Keys View that has signing capabilities

Brute force will attempt to find secret key that was used for signature generation. If a secret key was found, a
dialog will be presented.

The Brute force option implements three types of attacks against signed tokens Signatures:

The Attack option implements eight well-known authorization attacks against signed tokens:
These are described in more detail below.
All of these attacks can be used together. Please bear in mind that extension doesn't support token payload modification at Attack mod, so your payload will be replaced with new one.
OpenID connect ID token format usually used by signing libraries to store information about authenticated user.
Extension will generate placeholder for admin user ID token.
Same as User claims attack but will put it into user JSON attribute.
Another common way to store user details is username and password JSON attributes. Extension will generate
placeholder for admin user.
Flask authenticated user session information if stored at client side should include id and _id and user_id
or _user_id JSON attribute. Extension will generate session for the first user, usually admin.
Express framework uses passport JSON attribute to store user details. Extension will generate placeholder for admin
user.
Some frameworks may use account wrapper to store information about authenticated user. For exploitation, it might be
required to use Authenticated claims too.
The Authenticated claims implements 12 well-known authorization flags.
The User access_token option generated JWT OpenID connect ID token signed with the same key and same hashing algorithm
without any key derivation preformed.
$ claude mcp add sign-saboteur \
-- python -m otcore.mcp_server <graph>