Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All
Documentation

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite
Extensibility

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility
Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

How do I manage JSON Web Token auth in Burp?

Coleton Pierson Jul 08, 2015 05:33PM UTC

So, while doing active scanning and such, what's the best way to handle JSON Web Tokens that expire quickly? Basically when burp receives an auth failure, to run a post request and retrieve the new JWT to place in the header.


Dafydd Stuttard Jul 09, 2015 07:52AM UTC Support Center agent

Burp’s session handling rules can handle situations like this for “normal” request parameters (e.g. URL query string, cookies), but they don’t currently handle items within data formats like JSON, or in request headers. It’s possible we might add this support in future.

The best current solution would be to create a small extension that registers a custom session handling action, and implement what is necessary to update your outgoing request with the current token. You can then create a normal session handling rule that runs a macro to fetch a new token, and invoke your custom action with the macro results to apply the needed changes to the current request.

A more manual and hacky approach would be to chain a second instance of Burp upstream from the first, and configure a match/replace rule in the Proxy, to update the token with a specific value. But you would need to manually ensure that the token was valid, and update the rule with a new value if it expired.


rmccurdyDOTcom Aug 29, 2015 05:13AM UTC
Ya have a working macro to update the token:

Authorization: BEARER C0X2sKDMPkfTLYZxy8gxYg

but I don't know howto get repeater etc to update that field. I guess I need to start making my own extensions .. thes java tokens are getting out of hand...I miss my days of just using curl/sed/awk/bash sometimes ...

Dafydd Stuttard Sep 01, 2015 01:13PM UTC Support Center agent

You might need to use an extension that registers a custom session handling action that processes the macro response and updates the current request accordingly. You can then define a session handling rule that runs your macro and invokes your extension.


Elliott Nov 23, 2015 01:47PM UTC
I'm seeing a need for this more and more often. Quite a pain to test JSON Web Token\Auth Bearer applications at the moment.

Might we see something in the product soon? Or at least an example-template extension that we can adjust accordingly? Or a how-to document??

Simon Dec 27, 2015 01:28AM UTC
Testing Express based app, which does the same (HTTP header Authorization on XHTML), left the logout calls in the scan, and now I need to change all the occurrences of that header.

Also suspect I may have been testing as the wrongly logged in user or the wrong session (bah humbug).

For all the pain of change at least local storage has roughly the same security model as the rest of the app unlike cookies.

Time to write my first extension possibly.

jj Jul 29, 2016 10:10PM UTC
Bump. This would be a great feature to add... having to write extensions to do this is pretty time consuming. All that's needed is for the existing macro to support regex extraction of tokens from response bodies, and insertion into headers.

Alex Lauerman Nov 14, 2016 08:10PM UTC
I just committed a burp extension to github to handle this situation. It's available at: https://github.com/alexlauerman/UpdateToken

It will probably need some modification for your app, but I figured I'd link to it here in case someone runs across this thread and finds it useful.

Post Your public answer

Your name
Your email address
Answer