Session Handling with JWT in Burp Suite (Part-2)

In Part-1, we have covered on fetching the JWT token from the response and store in Burp cookie jar. This post is the continuation for Part-1. If part-1 is not followed, the below steps may not make sense.

Lets talk about JWT_2, which is fetching the JWT token from Burp Cookie Jar and replace them in the HTTP Request invoked by Session Handling Rules.

Download link for JWT_2: https://github.com/V9Y1nf0S3C/BurpExtension-JWT-4-session-handling/blob/main/jwt_2_set_jwt.py

High level working flow of extension - JWT_2:

Below flow chart helps you to understand how the burp extension JWT_2 works in high level.

Fig 1: Burp Extension flow for JWT_2

Lets understand the flow of execution now. First we load the extension and configure the session handling rule. Session handling rules are used here to invoke the burp extension, which in turn, fetches the access_token from the Burp cookie jar, replace the existing access_token in the request with the new token received from cookie jar and send the request. So the user can see the JWT token in the request is changed.

Steps to configure the extension:

Step-1: Load the JWT_2 python extension into the burp suite. The logs in the UI section shows the JWT cookie is fetched from the Burp cookie jar.

Fig 2: JWT_2 extension in action

Step-2: Configure the Burp Session handling rule:

Fig 3: Configure the Burp Session handling rule (1–7)

Navigate to the steps in #1–6 from the screenshot. When you create a new rule, the Rule action window will be empty for you and is expected. Now select “Invoke a Burp Extension” in #6 and select JWT_2 and then select OK button.

Fig 4: Configure the Burp Session handling rule (8–11)

Now go to scope tab (#8) and select which all tools that this rules applies to. If no idea, I advise you to select Repeater and Scanner at least, which helps you in automated scan and manual analysis.

To improve some performance (it matters a lot because we don't want burp crashing or slow during pentest), you can select the custom scope and paste the api path, because the JWT is used for API calls. now press OK.

Well done, the configuration portion completed. Lets test if the Burp tools able to fetch the JWT token from cookie jar. Before the test, make sure the Burp cookie jar has the JWT (access_token) cookie available. If not, configure the JWT_1 as mentioned in Part-1 of this post series and perform the login from web browser so that the access_token will be loaded into burp cookie jar (as mentioned in below screenshot).

Fig 5: JWT Token is stored in the Burp Cookie jar.

Step-3: Testing if the Burp Extension is able to fetch the access_token/JWT from cookie jar.

Lets go to repeater (assuming the Repeater tool is selected in Fig 4 : #9), and modify the jwt token in the response with few random characters and click on send button. If our burp extension working properly, you should see the JWT token in request header is changed to the one available in cookie jar. If the JWT token is valid by that the time you test, you can see the “200 OK” response.

Fig 6: Session handling rule invoked the JWT_2 extension which fetch the JWT from cookie jar and replaced in the request highlighted.

In Part-3, we are going to automate the process of renewing the access_token and the refresh_token for every minute, so that the JWT token with 3 minutes of validity will be replaced with fresh one every minute automatically.

See you ;)