Home
OCISigner is a Burp Suite extension that signs OCI HTTP requests using multiple authentication methods:
- API Key
- Security Token (Session)
- Config Profile (Auto)
- Instance Principal
- Resource Principal
Use this wiki to install the extension, configure profiles, and understand signing behavior.
Note
For most credentials (with the exception of Instance Principal), Test Credentials validates by sending a signed probe request to the namespace endpoint.
This is an Object Storage GetNamespace (/n/) request sent to the supplied region to confirm credential/signing behavior.
Per OCI documentation here, GetNamespace does not require authorization, which makes it a good endpoint to validate credential handling regardless of granted permissions.
Figure 1. OCI Object Storage policy reference showing GetNamespace access behavior.
- Installation and Setup
- Auth Method - API Key
- Auth Method - Security Token
- Auth Method - Config Profile
- Auth Method - Instance Principal
- Auth Method - Resource Principal
- Feature Notes
- Signature Notes and Highlights
- Install OCISigner in Burp.
- Create a profile and choose an auth type.
- Fill profile fields and click Save.
- Click Test Credentials.
- Set Always Sign With to the profile.
- Send requests through Repeater or Proxy.
Figure 2. OCISigner dashboard overview in Burp.
Figure 3. OCISigner context menu entry from an HTTP message.