Releases: NetSPI/AWSSigner
AWS Signer 2.0.4
This is a minor bug fix release. This release has a slight change to how the Authorization header is parsed. Specifically, the regular expression has been made more flexible to handle missing/multiple commas following the list of signed header values.
Special thanks to @blafois for identifying the bug and suggesting a fix!
Contributors
Assets 3
AWS Signer 2.0.3
This releases fixes an issue with the signer's handling of the Host header. AWS Signer versions 2.0.0 - 2.0.2 would overwrite the host header if it differed from the value in the Target URL. This wasn't intentional functionality, rather the result of how the AWS Java SDK signed requests. This was reported in issue #33.
The update will now sign the request using the Host header's value, not the value in the target URL. If the host specified by the target URL and the host header match, there will be no observable difference. If these values differ, the request is still sent to the target URL, but the signature will reference the Host header's value.
This should better support use cases where the user is sending a request to a proxy, and then onto the AWS endpoint. The host header can contain the real AWS endpoint value, and the target URL can point to the proxy. When the proxy forwards the request to the real AWS endpoint's URL, the signature will be correct since it was based on the host header's value.
AWS Signer 2.0.2
This release includes a few minor changes for the "Status" text displayed at the top of the Profile Configuration panel:
- The "Success" message is no longer dark green. The original intent was to provide a visual difference, but it didn't look good in either light mode or dark mode. Now it's the default color along with the rest of the text.
- If an error is returned when testing the profile or session policy, the error message is word-wrapped (if necessary) when displayed in the status. While these error messages aren't always super helpful for debugging, it looks much better in the UI.
AWS Signer 2.0.1
Burp Suite version 2022.3 and beyond disables HTML rendering in Swing elements' text by default. This version opts into HTML rendering in the components to maintain a consistent user interface in all Burp Suite versions. Tested in Burp Suite v2022.3.2 (Early Adopter)
AWS Signer 2.0.0
Please see the NetSPI blog post for an overview and the updated README for technical details.
GET requests with bodies won't be truncated
Merge pull request #28 from AndreyRainchik/master GET requests with bodies won't be truncated
Adding AssumeRole Operations
- New text field for a role ARN to assume with the given profile
- New button to assume a role
- Assuming a role will create a new profile with the name of the assumed role
- Assuming the same role again will update the credentials in the assumed role profile
Bug fixes in encoding and sorting
- SignedHeaders list is now sorted when session tokens are used
- URL encoding of Unicode characters in URL and body is now more strict
Fixed comma and capitalization bugs
The following changes were made for this release:
- Signer will now correctly parse SignedHeaders if the collection of signed headers ends only in a space with no comma.
- When region and service are provided in signer, these values are no longer converted to lowercase before comparing.
- Added debug warning message if a SignedHeader is not found in the request headers
Fixing parameter bug
If no parameters were specified, an extra equals sign was added. This bug is now fixed.