Session Handling with JWT in Burp Suite (Part-3)
In Part-1 & Part-2 , we have covered on storing the access_token and refresh_token in Burp cookie jar, and use the access_token as required.
Now we going to use the refresh_token on regular interval (like 1 minute) and get the new refresh_token and access_token.
Download link for JWT_3: https://github.com/V9Y1nf0S3C/BurpExtension-JWT-4-session-handling/blob/main/jwt_3_set_refreshtoken.py
High level working flow of extension — JWT_3:
Lets understand the flow of execution now. First we load the extension and configure the session handling rule. Session handling rules are used here to invoke the burp extension, which in turn, fetches the refresh_token from the Burp cookie jar, replace the existing refresh_token in the request body with the new token received from cookie jar and send the request.
In may case, I need to get a new access_token every 3 minutes so i’m going to use Burp Intruder Tool to make a request to an endpoint that help us to get the new refresh_token & access_token.
Steps to configure the extension:
Step-1: Load the JWT_3 python extension into the burp suite. The logs in the UI section shows the JWT cookie is fetched from the Burp cookie jar.
Step-2: Configure the Burp Session handling rule:
Navigate to the steps in #1–6 from the screenshot. When you create a new rule, the Rule action window will be empty for you and is expected. Now select “Invoke a Burp Extension” in #6 and select JWT_3 and then select OK button.
Now go to scope tab (#8) and select which all tools that this rules applies to. To get the refresh token on regular interval, select the Intruder tool(#9). If no idea about the remaining tools, I advise you to select Repeater tool from the list (#10), which helps you in automated scan and manual analysis.
We need to define the custom scope (#11), so that the JWT_3 extension will be invoked only when there is any session renew calls.
Well done, the configuration portion completed. Lets test if the Burp tools able to fetch the refresh token from cookie jar. Before the test, make sure the Burp cookie jar has the refresh_token cookie available. If not, configure the JWT_1 as mentioned in Part-1 of this series and perform the login from web browser so that the refresh_token will be loaded into burp cookie jar (as mentioned in below screenshot).
Step-3: Testing if the Burp Extension is able to fetch the refresh_token from cookie jar.
Lets go to repeater (assuming the Repeater tool is selected in Fig 4 #10), and modify the refresh token in the response with few random characters and click on send button. If our burp extension working properly, you should see the refresh token in request body is changed to the one available in cookie jar. If the refresh token is valid by that the time you test, you can see the “200 OK” response with new refresh token (and of course access_token too).
Just send the request one more time and you can see the refresh_token (ends with ODU=) received in the previous response (Fig 6) is now used in the current request (Fig 7), which means our session handling rules are working properly.
Step-4: This is an additional step for JWT_3 to call the /token/ api endpoint so that we can get the new access & refresh tokens continuously. I’m sharing my Intruder Tool screenshots for your reference.
Access & Refresh tokens received in Intruder tool (fig 11) will be stored into Burp cookie jar with the help of JWT_1 extension. Using this approach, you can have the valid tokens with you for your pentest.
In Part-4, we will cover the web browser automation using selenium web driver. This will help us if our refresh token is expired or revoked.
See you ;)