Content Signature is an authentication method in which the request body is hashed and then signed with a private key. The resulting signature is included in the request, usually as a header. The server verifies this signature using the corresponding public key. If the signature is valid, the server accepts and processes the request; if not, the server rejects it.
Configurations
Content signature authentication mechanism has the following configurations:
Configuration | Description |
|---|---|
Header Key | The hashed content signature. |
Private Key | The key to generating the digital signature. |
Example
The following are some samples that you can use to configure the Content Signature mechanism in the Advanced mode:
Sample 1
import hmac
import hashlib
def content_signature_prehook(scanctx: ScanContext, pluginctx: PluginContext, testcase: TestCase, **kwargs) -> list[Assertion]:
attributes = testcase.get_attributes()
login_url = "login_url"
secret_key = "your_secret_key"
header_name = "your_header_key"
# set user
normal_user = True
bola_user = False
payload = attributes.get_one("mutated.http.request.body", default="")
signature = hmac.new(secret_key.encode(), payload.encode(), hashlib.sha256).hexdigest()
attributes.set("mutated.auth.attribute", "mutated.http.request.header." + header_name)
if normal_user:
attributes.set("mutated.role.user", signature)
attributes.set("mutated.http.request.header." + header_name, signature)
if bola_user:
attributes.set("mutated.role.bolauser", signature)
return []