Browser Powered Session Handler #256
Description
Extension URL
https://github.com/frisch-raphael/browser-powered-session-handler/tree/main
Version number
0.0.1
Select additional compatible products and features
- Community
- DAST
- Burp AI
Author display name
Raphaël FRISCH
Contact details (optional)
Discord username (optional)
No response
I confirm that the following is true:
- I have permission from all relevant persons to submit this extension to the BApp Store for public use, under the terms and conditions of the EULA.
- I have read and understood the submission requirements for the BApp Store.
Extension overview
The extension keeps authenticated requests working in Burp by obtaining tokens through a real browser, then injecting the token into outgoing requests (header or cookie mode).
The external browser is called through an API, configurable in the API tab. It has a dual cache system (one cache local to the extension, one to the API) to limit how much this browser is called.
It uses an embedded API so that external scriptable extensions (eg hackvertor) can launch browser powered authentication.
Key features
- It can launch an automated browser powered login journey (redirects, forms, waits, clicks). This journey is created through an intuitive UI
- It can refresh tokens on a schedule
- It can detect session loss and recover automatically
- Configurations can be saved and loaded
- It keeps cache layers to avoid unnecessary re-logins, so that the external browser is not launched too many times
- With Hackvertor installed, it can create self-refreshing token tags
Here's an example on using this extension to assess whether a protected endpoint is reachable by low privilege users:
README_hackvertor_tags.mp4
Usage instructions
Configuration for automatic session recovery:
- If not done yet, install and start the API from the "API" tab.
- Browser orchestration: enter the login URL and configure the steps
- Token configuration: indicate where the token appears when authenticating.
- Session lost detection: choose how and wether logout is detected.
- Scope: self explanatory I guess.
- Ensure the extension is set to "Enabled"
Here's a saved file to test against demo.testfire.net. Just load the file and it will configure everything to make an authentication to https://demo.testfire.net/login.jsp
Example of using it against the test app in the ./test dir:
README_simple_authent.mp4
Creating self refreshing token tags
- Install Hackvertor.
- Configure your authentication in Browser Powered Session Handler.
- Click
Copy hackvertor tag. - In Burp top menu, click
Hackvertor. - Click
Create custom tag. - Set
Tag name - Select language
Python. - Paste the copied code in the code box.
- Press
Create tag
README_hackvertor_tag.mp4
Template identifier (Internal use only - please ignore)
- template:01-submit-extension