Skip to content

v1.0.0 - LeHack Release

Latest
Latest

Choose a tag to compare

View all tags
@psyray psyray released this 26 Jun 13:57
v1.0.0
9a0cfc8
This commit was signed with the committer’s verified signature.
psyray Psyray
GPG key ID: 9C45F4ED072B35BD
Verified
Learn about vigilant mode.

🚀 JWT AutoRenew & Multi-User Handler – Burp Suite Extension

A powerful Burp Suite extension for seamless JWT renewal and advanced multi-user session handling.

✨ Features

  • 🔄 Automatic JWT Renewal
    Detects expired JWT tokens in outgoing requests and uses the refresh token to obtain a new JWT via a configurable renewal URL. No more 401 errors during scans or manual testing!

  • 👥 Multi-User Support
    Extracts a user identifier (configurable, e.g., username) from the JWT payload and stores JWT/refresh tokens per user in Burp’s cookie jar. Effortlessly manage multiple users in parallel.

  • 🛠️ Session Handling Rules Integration
    Fully compatible with Burp Suite’s Session Handling Rules. Works with all Burp tools (Scanner, Repeater, Intruder, Proxy, etc.).

  • 🕵️‍♂️ Authorization Testing (with Auth Analyzer)
    Combine with Auth Analyzer to test vertical and horizontal authorization:

    • Configure several users (authenticated and unauthenticated) in Auth Analyzer.
    • The extension manages and renews tokens for each user automatically.
    • As an admin, navigate the application to collect admin-level tokens.
    • Replay requests as different users to verify access controls and ensure only authorized users can access sensitive resources.

  • 🕰️ Automatic Proxy History Analysis
    On startup, analyzes Burp’s proxy history to detect and store existing tokens for each user.

  • 🍪 Advanced Cookie Management
    Create, update, delete, and retrieve custom cookies for each user.

  • ⚙️ Highly Configurable

    • Customizable JWT and refresh token variable names
    • Custom cookie domain
    • Custom authorization header name (e.g., Bearer ...)
    • Custom JWT payload key for user identification
    • Custom token renewal URL
    • Debug mode for detailed logging

  • 🖥️ User-Friendly GUI

    • Dedicated Burp Suite tab
    • Configuration fields for all parameters
    • Real-time log area with autoscroll and line limit
    • Apply button for configuration changes
    • Status messages and debug information

  • 🐞 Advanced Debugging
    Enable debug mode to display detailed logs of all internal operations and error reporting.

  • 🌗 Theme Support
    Automatically adjusts interface and log colors for Burp Suite’s dark or light theme.

🔮 Future Enhancements

  • Headless Browser Auto-Login:
    Integration with headless browser login (see jwt_4B_Chrome_Headless_AutoLogin.py) is planned for future releases, to automate initial authentication and token retrieval.

📜 License

GPL v3 – feel free to use this project for your security needs.

Happy pentesting! 🦾

Assets 2
Loading