Burp Suite 2: Auto-Refresh Tokens

G5 Cyber Security

2 weeks ago

TL;DR

This guide shows you how to automatically refresh your authentication token in Burp Suite 2 using a Python script and the Burp Extender API. This is useful for applications where tokens expire quickly, preventing constant manual re-authentication.

Prerequisites

Burp Suite Professional (the Extender API isn’t available in Community Edition).
Python 3 installed.
Basic understanding of Python scripting.
The application you are testing uses a token-based authentication system.

Step 1: Install the Burp Suite Python API

Open your terminal or command prompt and install the necessary package:

pip install burpsuite

Step 2: Write the Python Script

Create a new Python file (e.g., auto_refresh.py) and paste in the following script. You’ll need to modify this based on your application’s specific token refresh process.

from burpsuite import IBurpExtender, IHttpListener2
import time
import requests

class BurpExtender(IBurpExtender, IHttpListener2):
    def registerExtenderCallbacks(self, callbacks):
        self._callbacks = callbacks
        self.helpers = callbacks.getHelpers()

        # Replace with your token refresh endpoint and credentials
        self.refresh_url = "https://your-application.com/token/refresh"
        self.client_id = "your_client_id"
        self.client_secret = "your_client_secret"
        self.username = "your_username"
        self.password = "your_password"

        # Initial token retrieval (replace with your initial login logic)
        self.token = self.get_initial_token()
        if not self.token:
            print("Failed to retrieve initial token.")
            return

        # Start the refresh loop in a separate thread
        import threading
        threading.Thread(target=self.refresh_loop).start()

    def get_initial_token(self):
        try:
            payload = {
                'grant_type': 'password',
                'username': self.username,
                'password': self.password,
                'client_id': self.client_id,
                'client_secret': self.client_secret
            }
            response = requests.post(self.refresh_url, data=payload)
            response.raise_for_status()
            data = response.json()
            return data['access_token']
        except Exception as e:
            print(f"Error getting initial token: {e}")
            return None

    def refresh_loop(self):
        while True:
            try:
                # Token refresh logic (replace with your application's process)
                payload = {
                    'grant_type': 'refresh_token',
                    'refresh_token': self.token,
                    'client_id': self.client_id,
                    'client_secret': self.client_secret
                }
                response = requests.post(self.refresh_url, data=payload)
                response.raise_for_status()
                data = response.json()
                self.token = data['access_token']
                print("Token refreshed successfully.")
            except Exception as e:
                print(f"Error refreshing token: {e}")

            time.sleep(60)  # Refresh every 60 seconds (adjust as needed)

    def processHttpMessage(self, toolFlag, messageIsRequest, requestResponse):
        if messageIsRequest:
            headers = self.helpers.analyzeRequest(requestResponse).getHeaders()
            for header in headers:
                if header.getName().lower() == "authorization":
                    # Add the token to the Authorization header if it's missing or expired.
                    if not header.getValue().startswith("Bearer "):
                        new_header = f"Authorization: Bearer {self.token}"
                        requestResponse.setHeader("Authorization", new_header)

Important: Replace the placeholder values for refresh_url, client_id, client_secret, username and password with your application’s actual credentials. Also, adapt the token retrieval and refresh logic to match how your application works.

Step 3: Load the Extension in Burp Suite

In Burp Suite, go to Extender.
Click Add.
Select your Python script (auto_refresh.py).
Ensure the extension is checked and enabled.

Step 4: Test the Extension

Send requests to your application. The script will automatically add or update the Authorization header with the current token. Check Burp’s HTTP history to confirm that the header is being set correctly.

Troubleshooting

Errors in Python Script: Check Burp’s Extender tab for any error messages printed by your script.
Token Not Refreshing: Verify your token refresh endpoint and credentials are correct. Ensure the time.sleep() value is appropriate for your application’s token expiration time.
Authorization Header Not Being Added: Double-check that the script’s logic correctly identifies requests that need the Authorization header added or updated.