Burp Suite User Forum

Login to post

Help with Custom Extension / Macro Involving Auth Tokens in URL

Jared | Last updated: Aug 18, 2023 08:32PM UTC

I am trying to perform some automated scans of a web application that utilizes a JWT in the URL, which has an expiration date of 10 minutes. The JWT always appears at the end: /api/v2/fakeendpoint/<JWT> I have seen similar articles were people have done this when the JWT is passed via headers and have attempted to base my solution off of some of those examples. I am utilizing a Session Handling rule to validate the session based on current request. If the response body contains 401 Unathorized, then a macro is invoked to issue a request to the auth endpoint. After the macro, my extension gets called. In my extension, I am able to parse out the JWT from the macro response and build a new URL, but then I am stuck. In the examples I have seen where others have done something similar when the JWT is passed via a header, they call: # Build request with bypass headers message = self.helpers.buildHttpMessage(headers, req_body) # Update Request with New Header currentRequest.setRequest(message) where headers and req_body are updated as needed. In my case, I cannot do something like currentRequest.setUrl(). I have tried to build a completely new request but have also failed at doing that. Here is my current performAction() function: def performAction(self, currentRequest, macroItems): request_info = self.helpers.analyzeRequest(currentRequest) headers = request_info.getHeaders() req_body = currentRequest.getRequest()[request_info.getBodyOffset():] #Extract the Bearer token from the macro response macro_response_info = self.helpers.analyzeResponse(macroItems[0].getResponse()) macro_msg = macroItems[0].getResponse() resp_body = macro_msg[macro_response_info.getBodyOffset():] macro_body_string = self.helpers.bytesToString(resp_body) bearer_token = json.loads(macro_body_string) bearer = "/" + bearer_token["accessToken"] req_url = request_info.getUrl() self.stdout.println("Original: ") self.stdout.println(req_url) jwt_pattern = r"/eyJ[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+\.[A-Za-z0-9-_.+/=]*" url_with_replaced_jwt = re.sub(jwt_pattern, bearer, str(req_url)) self.stdout.println("Updated: ") self.stdout.println(url_with_replaced_jwt) java_url = URL(url_with_replaced_jwt) return

Hannah, PortSwigger Agent | Last updated: Aug 21, 2023 01:28PM UTC

Hi It looks like you are using our legacy Extender API. We'd recommend using the newer Montoya API for extension development, as it's easier to use and has additional functionality over the old API. Unfortunately, you cannot use Python with the Montoya API, it is just for Java. When you say you are trying to provide your auth token in the URL, is this as a query parameter or part of the path? For example, in the format "https://portswigger-labs.net/JWT_TOKEN_HERE" or "https://portswigger-labs.net?token=JWT_TOKEN_HERE".

You need to Log in to post a reply. Or register here, for free.