Session Handling with JWT in Burp Suite (Part-1)

During the automated scanning phase of Web Pentest, we may need to work with JWT’s which raise the following challenges. I have the same challenges and come up with a solution (not clean but done the job).

1. JWT duration is too short (like 3 minutes in my case) which is very annoying to fetch every time from Burp Proxy and use it in Burp Repeater.
2. JWT’s needs to be send as individual request header (like Authorization: ) instead of cookie, due to which the Burp Suite Cookie jar is also not helpful to fetch automatically and use during the Automated Scans.
3. Since these tokens are not received cookies (at least in my case), we need a storage in Burp Suite to store the JWT tokens and use them later. We achieve this by using Burp Suite Cookie jar

Without further delay, lets find if your application also has the same flow and get our hands dirty ;). In one of my web pentest, I got a requirement for the following.

1. Web site use OAuth to login using username and password and then returns with JWT token and the refresh token (this is a multi step login process. Ex: https://test.com/app1/portal/oauth2/v1/token)
2. The JWT token is valid for 3 minutes and need to be used with the Authorization header for all API’s (Ex: https://test.com/app1/portal/api/).
3. After 3 minutes, the JWT token expired so we need to use Refresh token (in POST body) to get a new JWT with the validity of 3 minutes.
4. The Refresh token is valid once (like Anti-CSRF token) and the new Refresh token have to be used every time.

In order to run my scan, I come up with the following extensions:

JWT_1: To fetch the JWT , Refresh tokens from the response and save it in Burp Cookie jar for later use (covered in this post)

JWT_2: Get the JWT token from Burp Cookie jar and use it in Burp requests as required (Part-2 in this series)

JWT_3: Get the Refresh token from Burp Cookie jar and use it in Burp requests as required (Part-3 in this series)

JWT_4: When the Refresh token is invalid, run a python script to launch the web browser with selenium web driver, proxy the traffic through Burp Suite, so that the JWT_1 can collect the new tokens and update the cookie jar (Part-4 in this series)

Note: If you are not sure how to load the following python extension in Burp Suite, please refer the post Setting up your custom python extensions in Burp Suite

Lets talk about Part-1 (JWT_1)

Now I'm going to tell you briefly about fetching the JWT tokens and the refresh token from your Burp Suite traffic and store it in the Cookie jar.

I searched in Google, got some references on similar Burp plugin code, modified as per my needs.

Burp Suite Extension for JWT_1: https://github.com/V9Y1nf0S3C/BurpExtension-JWT-4-session-handling/blob/main/jwt_1_get_jwt_refreshToken.py

High level working flow of this extension:

1.Listens the traffic in all Burp Suite tools (like Proxy, Repeater, Intruder etc) and check if the response is JSON and the response contains refresh_token or access_token.

Fig 1: Request that has JWT token (a.k.a access_token) & Refresh Token

2.If these tokens present in the response, fetch the tokens and add it to Burp Suite Cookie jar.

Fig 2B: Tokens are stored in Burp Cookie jar

Here is the flow of the extension in old school (yet good) flow chart.

Fig 3: Burp Extension flow

In later parts of this post, I show you how to use these tokens for your use.