Skip to content

PortSwigger/token-refresh

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

25 Commits
 
 
 
 

Repository files navigation

Bearer Token Refresh

Clean, simple and easy to use tool to manage short validity authorisation tokens.

image

The extension checks the response for an ‘expired token’ message and if present in the response will reach out to an endpoint and request a new token. All subsequent requests will have the new token automatically used instead of the old expired token. Populate the required fields (shown below) and click on ‘Start Token Refresher’ – that’s it!

There is a quick use tutorial video available here.

Bearer Token Refresh Quick Use Guide

Settings

image

These settings are by default set up for OAuth, however they can be tweaked for any header based authorisation schema i.e. X-AUTH-USER : or ACCESS-TOKEN :

  • Access Token Regex - regex to extract the token from the authentication endpoint response
  • Bearer Token Error - regex to identify in a response the error message when the token is expired
  • Authorisation Endpoint - endpoint you access to get a new token
  • Authorisation Header - header that is part of the request that contains the current token
  • Replacement Header - header to replace Authorisation Header with

image

  • User Agent - user agent to be sent - useful if testing mobile endpoints
  • Content Type - allows you to set the content type if required (some auth endpoints require JSON for example)
  • Auth Data - data that you submit to get a token – normally a username and password or another form of credentials
  • Is B64 - legacy. However, if you have an issue with odd characters that you can’t copy and paste in the Auth Data box for some reason, you can base64 encode your request and ticking this box will decode it prior to sending it

image

  • Enable Debugging - gives you a much more verbose output so you can troubleshoot regex queries or error messages connecting
  • Clear logs - clear the logs!

image

  • Start Token Refresher – Start the extension
  • In Scope Only : OFF - restrict actions to only in scope URL
  • Refresh Token – Manually obtain a new token

Walkthrough using DVWS

image

We log on using our valid credentials.

image

Looking in Burp, this gives us most of the information that we require to set the tool up.

image

We have the Authorisation Endpoint and data we need to send. and we can see that the token is returned to us as a token : "data". So we can set this up in the tool.

image

We can test that this works by enabling the extension and manually refreshing the token.

image

As you can see, the new current token is displayed. In the event this doesn't work, you can enable debugging to try and troubleshoot the issue.

image

Server errors will always be displayed regardless of debugging status (invalid username or password for DVWS generates a 401 error).

image

Subsequent requests made show the correct format for the token when making requests.

image

In this instance, we don't need to make any changes in the tool but if the bearer token was sent using a different header (X-AUTH-USER for example), this is where we would change them - red denoted the header and green denotes the token. The tool requires the [TOKEN] to be present so it knows where to insert the new token.

image

To simulate the token expiring, we are just going to remove it from our request and note the generated error.

image

In this instance, we shall pick JsonWebTokenError as a nice unique value to search for (using regex) in the response to indicate that the token is no longer valid (it would be a different error message if it had expired, but this is for demonstration purposes). So we update that field in the tool, and we are good to go.

image

Now we run the repeater request a second time, and now it is fully configured, the tool will automatically detect that the token is invalid and collect a new one for you. The below output is from the debugging window.

Based on https://github.com/t3hbb/OAuthRenew
Check for an expired bearer token and replace if required.

Remember to update any necessary details in the options above!
URL Requested :http://127.0.0.1:80/api/v2/notes
URL is in scope 
Processing Message 
URL Requested :http://127.0.0.1:80/api/v2/notes
URL is in scope 
Processing Message 
Response received
Bearer token expired - obtaining new one
Attempting to reach http://127.0.0.1/api/v2/login to re-authenticate

URL: http://127.0.0.1/api/v2/login
Headers sent: {'User-agent': u'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36'}
Body sent: username=user&password=user

Content received : {"token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoidXNlciIsInBlcm1pc3Npb25zIjpbInVzZXI6cmVhZCIsInVzZXI6d3JpdGUiXSwiaWF0IjoxNjYyNTQ5NzI1LCJleHAiOjE2NjI3MjI1MjUsImlzcyI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zbm9vcHlzZWN1cml0eSJ9.CKtD0IFd67sgCNJ6yvbri566p8vH4oKqJWxS7OkIhC8","status":200,"result":{"admin":false,"_id":"63087ac4fc9d100020943f35","username":"user","password":"$2b$10$t7exJ4FimBZEqRTO1ECpzO7ZvAQmRK7ZV3H4f4HQzmxtSczrFq5i.","__v":0}}
Discovered response : token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoidXNlciIsInBlcm1pc3Npb25zIjpbInVzZXI6cmVhZCIsInVzZXI6d3JpdGUiXSwiaWF0IjoxNjYyNTQ5NzI1LCJleHAiOjE2NjI3MjI1MjUsImlzcyI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zbm9vcHlzZWN1cml0eSJ9.CKtD0IFd67sgCNJ6yvbri566p8vH4oKqJWxS7OkIhC8"
Extracted Token : eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoidXNlciIsInBlcm1pc3Npb25zIjpbInVzZXI6cmVhZCIsInVzZXI6d3JpdGUiXSwiaWF0IjoxNjYyNTQ5NzI1LCJleHAiOjE2NjI3MjI1MjUsImlzcyI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zbm9vcHlzZWN1cml0eSJ9.CKtD0IFd67sgCNJ6yvbri566p8vH4oKqJWxS7OkIhC8
New Bearer Token Acquired : ...eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoidXNlciIsInBlcm1pc3Npb25zIjpbInVzZXI6cmVhZCIsInVzZXI6d3JpdGUiXSwiaWF0IjoxNjYyNTQ5NzI1LCJleHAiOjE2NjI3MjI1MjUsImlzcyI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zbm9vcHlzZWN1cml0eSJ9.CKtD0IFd67sgCNJ6yvbri566p8vH4oKqJWxS7OkIhC8...
URL Requested :http://127.0.0.1:80/api/v2/notes
URL is in scope 
Processing Message 
Replacing Bearer Token with latest obtained
New headers to be transmitted : GET /api/v2/notes HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: application/json, text/plain, */*
Accept-Language: en-GB,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoidXNlciIsInBlcm1pc3Npb25zIjpbInVzZXI6cmVhZCIsInVzZXI6d3JpdGUiXSwiaWF0IjoxNjYyNTQ5NzI1LCJleHAiOjE2NjI3MjI1MjUsImlzcyI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zbm9vcHlzZWN1cml0eSJ9.CKtD0IFd67sgCNJ6yvbri566p8vH4oKqJWxS7OkIhC8
DNT: 1
Connection: close
Referer: http://127.0.0.1/notes.html
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

URL Requested :http://127.0.0.1:80/api/v2/notes
URL is in scope 
Processing Message 
Response received
Bearer token is valid

Now it has a new valid token, when the request is made, it is automatically updated and is successful.

image

Releases

No releases published

Packages

No packages published

Languages

  • Python 100.0%