Session Handling with JWT in Burp Suite (Part-4)

In Part-1, Part-2 & Part-3, we have covered on storing the access_token and refresh_token in Burp cookie jar, and use the access_token,refresh_token as required.

Now we going to invoke an external python script form burp extension that use selenium webdriver to perform the login using headless chrome web browser. Since the web browser traffic is going through burp proxy, the JWT_1 able to capture the access & refresh tokens and store in burp cookie jar for further use.

Download links:

JWT_4 (Burp Extension): https://github.com/V9Y1nf0S3C/BurpExtension-JWT-4-session-handling/blob/main/jwt_4_webbrowser_login.py

External Python script for Selenium+ Chrome headless login: https://github.com/V9Y1nf0S3C/BurpExtension-JWT-4-session-handling/blob/main/jwt_4B_Chrome_Headless_AutoLogin.py

Script modifications:

In JWT_4, you need to modify the line #36 with the autologin script. Same is highlighted in below figure.

Fig 1: JWT_4 >> Place to call the external python script for headless login

Below screenshot shows the position to change your burp proxy listener (#25, 26). If you are familiar to play with python, you use try changing #10–21 as required.

Fig 2: JWT_4B >> Place to modify the burp proxy settings in external python script

Below screenshot shows where can you provide the login URL (#78) to fetch the tokens. And the login credentials to be udpated in #90,91.

Fig 3: JWT_4B >> Place to modify the login URL, identifiers & login credentials in external python script

Since we are using web driver, you need to find out the element identifiers (#86, 87, 94) for your application and change the script accordingly. Here is the sample screenshot of the web site i’m testing for your reference.

Fig 4: JWT_4B >> Sample screenshot to find the element identifiers & login credentials in external python script

You can manually launch the external python script from your command prompt for troubleshooting. Here is the sample output when you launch from command prompt.

Fig 5: JWT_4B >> Running the external python script from command prompt for troubleshooting

Please do note that the burp proxy must be working otherwise the script may fail as we proxying traffic through port 8080 in the provided script. Also you can see the chrome browser is not headless when you call from command prompt. I intentionally write the script so that the troubleshooting will be easy. To test the chrome in headless mode from command prompt, just send burp as a command line argument. Here is the example

python3 jwt_4B_Chrome_Headless_AutoLogin.py burp

High level working flow of extension — JWT_4:

Fig 6: Burp Extension flow for JWT_4 (Burp Extension & Selenium Login)

Lets understand the flow of execution now. First we load the JWT_4 extension and configure the session handling rule that invoke the burp extension only when the refresh_token is invalid. This (JWT_4) burp extension calls the external python script for Chrome headless login. This external python script launch the chrome with the help of Selenium+WebDriver and proxy the chrome traffic through the burp suite (localhost:8080 by default). Once the login is compelted, the JWT_1 kicks into action automatically and collect the refresh_token & access_token and save them in the Burp Cookie Jar.

Steps to configure the Burp Suite Extension (JWT_4):

Step-1: Load the JWT_4 python extension into the burp suite. The logs in the UI section shows the Burp extension invoked, and then the external python script (JWT_4B) invoked.

Fig 7: JWT_4 extension in action

Step-2: Configure the Burp Session handling rule:

Fig 8: Configure the Burp Session handling rule (1–6)

Navigate to the steps in #1,2 from the screenshot. Here we could see the refresh token related session handling rules that was created in JWT_3. Select this and click on Edit (#3,4). Now click on #5 and select “Check session is valid”. Configure the matching text in #6.

Fig 9: Configure the Burp Session handling rule (7–9)

Select #7 and #8 as mentioned in the above diagram. For #9, you can actually create an empty macro so that there wont be any load and still we can invoke our chrome headless login action. Below screenshot shows how the empty macro look like.

Fig 10: Configure the Burp Session handling rule (#9 in detail)

So far we are at #9. now go to #10 and select our JWT_4 extension as shown in #11. Then select #12,13. Once you complete #13, you can see #14.

Fig 11: Configure the Burp Session handling rule (#10–14)

Finally we have completed the setup of multiple extensions to automate the login, fetching the tokens and using the same. To test this, just go to Burp cookie jar and delete the refresh_token and wait for a minute. If the Intruder with 1 minute of interval is active, that is going to invoke the session handling rule which will then launch the external burp python script. Since the external script launch the chrome login as headless, you couldn’t see the new chrome window being launched and login operation being performed but you can see the output in shown in Fig 7.

Hope it helps to automate your task or at least gives you some thoughts to modify the script as per your needs.