Skip to content

CenturionInfoSec/pstoken-burp-plugin

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
BappDescription.html
BappDescription.html
 
 
BappManifest.bmf
BappManifest.bmf
 
 
README.md
README.md
 
 
pstoken.py
pstoken.py
 
 

Repository files navigation

Oracle PeopleSoft PS_TOKEN Extractor

Created by Sayed Hamzah, Centurion Information Security
Twitter handle: @xxxbaemaxxx

Overview

This is a Burp Plugin implementation of the TokenChpoken Tool developed by ERPScan.

To use it, go to the dist/ folder and download the .py file onto your machine. Then simply add it as a Burp Plugin under the "Extender" tab. (Jython is required for this plugin to work!)

Functionalities

  • Extracts and displays token information based on the decompressed data
  • Generates the Hashcat format : to perform brute-force/dictionary attacks in order to obtain the local node password
  • Generates a new PSTOKEN value that can be used in order to authenticate as another user (requires knowledge of the local node password, if need be)

References

https://erpscan.com/author/alexey-tyurin/
http://peoplesofttutorial.com/how-peoplesoft-single-signon-works/
https://erpscan.com/press-center/blog/peoplesoft-security-part-4-peoplesoft-pentest-using-tokenchpoken-tool/

About

Jython Burp Plugin for PS_TOKEN

Resources

Readme
Activity
Custom properties

Stars

5 stars

Watchers

5 watching

Forks

4 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages