Burp Suite User Forum

Login to post

Edit macro programmatically to update request

diwou | Last updated: Aug 25, 2023 12:47PM UTC

Hi, I have a target that gives me 401 after some time and tries. I have to do re auth every time, so I searched on google and I discovered a way to do it: 1. Add a rule to check session validity, looking for 401 in headers. 2. If 401 is present, the the session is invalid. 3. Create a macro to re auth (.../sing-in). 4. Extract the new bearer and change it on the current request from Intruder. 5. 200 is returned. BUT that target detects many sing-in posts, and it gives 429 (blocked/banned) if I abuse of the sing-in path, because it's programmed to use /refresh path. And then my headache began. To re auth using the refreshToken, I must change the macro's request content, replacing the token by the new one given when you post. So, actually I can only refresh the token once, because the next token isn't updated from the macro. The only way I see to do it elegantly is to replace the macro request, but as far as I know, Burp only let's me to change variables and headers from the current request being done from the Intruder. I have been searching for macro editing programmatically on google, and read the Burp extension API, but I can't see any referent to macro editing. I sent an email to support@ and after 3 mails I was invited to post here. So, here I am. 1) Is there a way to update the requests from macros within Burp or an extension? 2) I think this is a very normal scenario, so the most reasonable is that you do differently to use refresh tokens and re authenticate, so, how do you do on those cases? Cheers.

Michelle, PortSwigger Agent | Last updated: Aug 29, 2023 08:00AM UTC

Hi We've just replied to your email. It would be good to get some more details of the actual requests and responses you're dealing with in this scenario so we can take a closer look at your options. So, if you could email us some screenshots, that would be great.

You need to Log in to post a reply. Or register here, for free.