Burp Suite User Forum

Login to post

Authenticated Scan : Authorization header in every request used for SPA

Sangam | Last updated: Nov 10, 2020 07:10AM UTC

Hi, I am stuck with authorization part for my application which uses "security token service" openid connect + oauth2. Application Working: 1)Login Page : Enter login credentials and click on submit button it will respond with authorization bearer token. 2)Now for every subsequent request it explicitly uses bearer token in header to authenticate the user Possible solution: Can we create the script which fetches the token and use for every request before it send through burp for passive/active scanning Solutions we implemented with Owasp Zap: In Owasp zap we can create the authentication script and extract the token,this token is set as global variable and then with "httpsender" we can use that global variable to be set in header for before every request made,that way it can be authenticated scan and our purpose is solved. Do we have anything like that? Needless to say we tried record login sequence and using it but was not able to run because it was not triggering the browser even though we enabled the browser and loaded the burp navigation recorder extension. Also check on browser health it was showing no error. Right now we are using custom header extension where we manually enter bearer token as hard coded value. Can please help how programmatically we can achieve this for SPA? It would be a great help. Thanks

Uthman, PortSwigger Agent | Last updated: Nov 10, 2020 09:35AM UTC

Hi Sangam, Have you considered configuring a session handling rule? You can check if a session is valid > issue a request to validate the session > configure a macro to extract the token from the previous response. - https://portswigger.net/burp/documentation/desktop/options/sessions/macro-editor - https://www.cyberis.co.uk/burp_macros.html

Sangam | Last updated: Nov 10, 2020 11:49AM UTC

Yes we tried with session handling but did not work out that well.

Uthman, PortSwigger Agent | Last updated: Nov 10, 2020 11:53AM UTC

Thanks. Have you taken a look at any other BApps? - Custom Parameter Handler - https://portswigger.net/bappstore/a0c0cd68ab7c4928b3bf0a9ad48ec8c7 - Authentication Token Obtain and Replace - https://portswigger.net/bappstore/51327b097b354243b307b4ed87ba39eb

Sangam | Last updated: Nov 12, 2020 09:27AM UTC

Hi, Didn't work out well. Can we do anything like stated below where we can set the script in a folder/or set as environment which would be reusable from where burp suite can access? "Solutions we implemented with Owasp Zap: In Owasp zap we can create the authentication script and extract the token,this token is set as global variable and then with "httpsender" script we can use that global variable to be set in header for before every request made,that way it can be authenticated scan and our purpose is solved." let me know if we can do this? Thanks

Uthman, PortSwigger Agent | Last updated: Nov 12, 2020 09:28AM UTC

Hi Sangam, You can try this by using the Extender API: https://portswigger.net/burp/extender/api/

Sangam | Last updated: Nov 20, 2020 06:05AM UTC

Hi, I am looking to procure license for professional version. Only question I have as of now is: Can I call the embbeded browser of burp suite via programmatically? If yes can you please explain it. I will record the authentication and use for further authenticated scan. It would be a great help Thanks

Uthman, PortSwigger Agent | Last updated: Nov 20, 2020 09:04AM UTC

Can you clarify what you mean by "call the embbeded browser of burp suite via programmatically"? What are you trying to do?

Sangam | Last updated: Nov 23, 2020 11:38AM UTC

I mean the chromium browser which is provided by burpsuite i.e can be triggered by clicking on open browser button which resides in proxy tab > Intercept > Open Browser Can we access and triggered the chromium browser via api/programmatically.

Uthman, PortSwigger Agent | Last updated: Nov 23, 2020 11:42AM UTC

Thanks for clarifying. Unfortunately, you cannot do this. You can find the embedded browser in <HOME-DIRECTORY>/.BurpSuite/burpbrowser/86.0.4240.183/ if you want to create any custom scripts.

Sangam | Last updated: Nov 24, 2020 05:13AM UTC

Thanks. I have procured burp suite professional license via company profile.Thanks for help. By custom script can you please elaborate?Do you mean i can do with selenium invoke the browser and run the script which will eventually capture the traffic to burp?

Uthman, PortSwigger Agent | Last updated: Nov 24, 2020 09:35AM UTC

Hi Sangam, That is great! We do not have any information on creating custom scripts - you will need to do this yourself. In terms of integrating with Selenium, you can find out further information below to help you get started: - https://portswigger.net/support/using-burp-with-selenium

You need to Log in to post a reply. Or register here, for free.