Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

How do I manage JSON Web Token auth in Burp?

Coleton | Last updated: Jul 08, 2015 05:33PM UTC

So, while doing active scanning and such, what's the best way to handle JSON Web Tokens that expire quickly? Basically when burp receives an auth failure, to run a post request and retrieve the new JWT to place in the header.

PortSwigger Agent | Last updated: Jul 09, 2015 07:49AM UTC

Burp's session handling rules can handle situations like this for "normal" request parameters (e.g. URL query string, cookies), but they don't currently handle items within data formats like JSON, or in request headers. It's possible we might add this support in future. The best current solution would be to create a small extension that registers a custom session handling action, and implement what is necessary to update your outgoing request with the current token. You can then create a normal session handling rule that runs a macro to fetch a new token, and invoke your custom action with the macro results to apply the needed changes to the current request. A more manual and hacky approach would be to chain a second instance of Burp upstream from the first, and configure a match/replace rule in the Proxy, to update the token with a specific value. But you would need to manually ensure that the token was valid, and update the rule with a new value if it expired.

Burp User | Last updated: Aug 29, 2015 05:13AM UTC

Ya have a working macro to update the token: Authorization: BEARER C0X2sKDMPkfTLYZxy8gxYg but I don't know howto get repeater etc to update that field. I guess I need to start making my own extensions .. thes java tokens are getting out of hand...I miss my days of just using curl/sed/awk/bash sometimes ...

PortSwigger Agent | Last updated: Sep 01, 2015 01:12PM UTC

You might need to use an extension that registers a custom session handling action that processes the macro response and updates the current request accordingly. You can then define a session handling rule that runs your macro and invokes your extension.

Burp User | Last updated: Nov 23, 2015 01:47PM UTC

I'm seeing a need for this more and more often. Quite a pain to test JSON Web Token\Auth Bearer applications at the moment. Might we see something in the product soon? Or at least an example-template extension that we can adjust accordingly? Or a how-to document??

Burp User | Last updated: Dec 27, 2015 01:28AM UTC

Testing Express based app, which does the same (HTTP header Authorization on XHTML), left the logout calls in the scan, and now I need to change all the occurrences of that header. Also suspect I may have been testing as the wrongly logged in user or the wrong session (bah humbug). For all the pain of change at least local storage has roughly the same security model as the rest of the app unlike cookies. Time to write my first extension possibly.

Burp User | Last updated: Jul 29, 2016 10:10PM UTC

Bump. This would be a great feature to add... having to write extensions to do this is pretty time consuming. All that's needed is for the existing macro to support regex extraction of tokens from response bodies, and insertion into headers.

Burp User | Last updated: Nov 14, 2016 08:10PM UTC

I just committed a burp extension to github to handle this situation. It's available at: https://github.com/alexlauerman/UpdateToken It will probably need some modification for your app, but I figured I'd link to it here in case someone runs across this thread and finds it useful.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.