TL;DR
This guide shows you how to automatically refresh your authentication token in Burp Suite 2 using a Python script and the Burp Extender API. This is useful for applications where tokens expire quickly, preventing constant manual re-authentication.
Prerequisites
- Burp Suite Professional (the Extender API isn’t available in Community Edition).
- Python 3 installed.
- Basic understanding of Python scripting.
- The application you are testing uses a token-based authentication system.
Step 1: Install the Burp Suite Python API
Open your terminal or command prompt and install the necessary package:
pip install burpsuiteStep 2: Write the Python Script
Create a new Python file (e.g., auto_refresh.py) and paste in the following script. You’ll need to modify this based on your application’s specific token refresh process.
from burpsuite import IBurpExtender, IHttpListener2
import time
import requests
class BurpExtender(IBurpExtender, IHttpListener2):
def registerExtenderCallbacks(self, callbacks):
self._callbacks = callbacks
self.helpers = callbacks.getHelpers()
# Replace with your token refresh endpoint and credentials
self.refresh_url = "https://your-application.com/token/refresh"
self.client_id = "your_client_id"
self.client_secret = "your_client_secret"
self.username = "your_username"
self.password = "your_password"
# Initial token retrieval (replace with your initial login logic)
self.token = self.get_initial_token()
if not self.token:
print("Failed to retrieve initial token.")
return
# Start the refresh loop in a separate thread
import threading
threading.Thread(target=self.refresh_loop).start()
def get_initial_token(self):
try:
payload = {
'grant_type': 'password',
'username': self.username,
'password': self.password,
'client_id': self.client_id,
'client_secret': self.client_secret
}
response = requests.post(self.refresh_url, data=payload)
response.raise_for_status()
data = response.json()
return data['access_token']
except Exception as e:
print(f"Error getting initial token: {e}")
return None
def refresh_loop(self):
while True:
try:
# Token refresh logic (replace with your application's process)
payload = {
'grant_type': 'refresh_token',
'refresh_token': self.token,
'client_id': self.client_id,
'client_secret': self.client_secret
}
response = requests.post(self.refresh_url, data=payload)
response.raise_for_status()
data = response.json()
self.token = data['access_token']
print("Token refreshed successfully.")
except Exception as e:
print(f"Error refreshing token: {e}")
time.sleep(60) # Refresh every 60 seconds (adjust as needed)
def processHttpMessage(self, toolFlag, messageIsRequest, requestResponse):
if messageIsRequest:
headers = self.helpers.analyzeRequest(requestResponse).getHeaders()
for header in headers:
if header.getName().lower() == "authorization":
# Add the token to the Authorization header if it's missing or expired.
if not header.getValue().startswith("Bearer "):
new_header = f"Authorization: Bearer {self.token}"
requestResponse.setHeader("Authorization", new_header)
Important: Replace the placeholder values for refresh_url, client_id, client_secret, username and password with your application’s actual credentials. Also, adapt the token retrieval and refresh logic to match how your application works.
Step 3: Load the Extension in Burp Suite
- In Burp Suite, go to Extender.
- Click Add.
- Select your Python script (
auto_refresh.py). - Ensure the extension is checked and enabled.
Step 4: Test the Extension
Send requests to your application. The script will automatically add or update the Authorization header with the current token. Check Burp’s HTTP history to confirm that the header is being set correctly.
Troubleshooting
- Errors in Python Script: Check Burp’s Extender tab for any error messages printed by your script.
- Token Not Refreshing: Verify your token refresh endpoint and credentials are correct. Ensure the
time.sleep()value is appropriate for your application’s token expiration time. - Authorization Header Not Being Added: Double-check that the script’s logic correctly identifies requests that need the Authorization header added or updated.