Come on burp suite tool has a built-in session mechanism, more and more often I meet situations where i just can not cope with keeping it active. This is most often caused by one of the following factors:
- Dynamic CSRF tokens hidden in different places of the request;
- specific header values instead of cookies (e.g. JWT);
- use of dual tokens (access/refresh tokens), mainly in mobile applications;
Recently, I came up with a great plugin that makes it much easier to carry out automatic scans. I tested it, among other things, in a scenario with a JWT token (OAuth 2.0 / bearer token), which changes every few minutes and with a clear conscience I can recommend.
The quick start guide looks like this:
- We catch the request responsible for logging in (in response to which we get the bearer token) and send it to the ATORa.
- We select from the answer a string that interests us and give it a name.
- We provide how the plugin can identify that the session has been "killed".
- We indicate the formula by which our session token is to be replaced in the new requests. We use regular expressions here. It is worth testing them in advance on the regexr website.
- If you use additional plug-ins for automatic scanning, please select this in the ATORa settings.
The plugin can be found on Githubie synopsys