How do I manage JSON Web Token auth in Burp?
So, while doing active scanning and such, what's the best way to handle JSON Web Tokens that expire quickly? Basically when burp receives an auth failure, to run a post request and retrieve the new JWT to place in the header.
Burp’s session handling rules can handle situations like this for “normal” request parameters (e.g. URL query string, cookies), but they don’t currently handle items within data formats like JSON, or in request headers. It’s possible we might add this support in future.
The best current solution would be to create a small extension that registers a custom session handling action, and implement what is necessary to update your outgoing request with the current token. You can then create a normal session handling rule that runs a macro to fetch a new token, and invoke your custom action with the macro results to apply the needed changes to the current request.
A more manual and hacky approach would be to chain a second instance of Burp upstream from the first, and configure a match/replace rule in the Proxy, to update the token with a specific value. But you would need to manually ensure that the token was valid, and update the rule with a new value if it expired.
Authorization: BEARER C0X2sKDMPkfTLYZxy8gxYg
but I don't know howto get repeater etc to update that field. I guess I need to start making my own extensions .. thes java tokens are getting out of hand...I miss my days of just using curl/sed/awk/bash sometimes ...
You might need to use an extension that registers a custom session handling action that processes the macro response and updates the current request accordingly. You can then define a session handling rule that runs your macro and invokes your extension.
Might we see something in the product soon? Or at least an example-template extension that we can adjust accordingly? Or a how-to document??
Also suspect I may have been testing as the wrongly logged in user or the wrong session (bah humbug).
For all the pain of change at least local storage has roughly the same security model as the rest of the app unlike cookies.
Time to write my first extension possibly.
It will probably need some modification for your app, but I figured I'd link to it here in case someone runs across this thread and finds it useful.