Category Archives: pentestnote

Manipulating Authorization Token Using Burpsuite

Manipulating Authorization Token Using Burpsuite

During the web application security assessment on a web API, the Authorization Token had some limitation which it is only valid for 5 minutes. Burpsuite unable to perform a complete scanning or if it is completed, the result is not accurate due to the Authorization Token keep changing in 5 minutes timeframe.

To overcome this issue, we need to find a way how to bypass this restriction as Burpsuite require a valid token each time it performs scanning as well as the repeater and intruder. Search on google lead us to a website where they wrote a Burp extender (written in python) to fetch the new token and replace it in the header every time Burpsuite make a request. The Burpsuite extender inspect every request for the tag ‘Authorization: Bearer’ in its header and after that delete it and replace it with the new one in order for the current session to be valid. The bearer token was generated by the following request, the bearer token will be included in JSON keyword called ‘###Token‘ inside the response body.

Create Macro in Burpsuite

To automate the process, we need to create a macro in Burpsuite. The macro will initiating a request to the server to refresh the bearer token. In Burpsuite go to Project Options – Macro:

burpsuite add new macro

Macro Recorder screen will be prompted, select the request that generate the bearer token.

burpsuite macro recorder burpsuite macro recorder

Create Session Handling Rules in Burpsuite

To replace the expired token with the new one, we need to create a macro in Burpsuite (explained above). The macro will initiate a request to get the new bearer token before the Burpsuite extender fetch the new generated token and replace it in the request header. To do this, we need to create a new session handling rules in the Burpsuite.

create burpsuite session handling rule

The rule basically check for HTTP header that match the defined expression “HTTP/1.1 401 Unauthorized”.

burpsuite session handling action editor

If the response match, it will run the macro and after completed it will invoke Burpsuite extender to fetch the new generated bearer token and replace it to the request header.

burpsuite session handling action editor

Result

burp extender output burpsuite scanning result

Credit: https://twelvesec.com/2017/05/05/authorization-token-manipulation/

Bearer Authorization Token (Burpsuite Extender)