If you trust this JAR file:
- Open the Extender tab
- Select "Extensions"
- Select "Add" and pick the jar file from this repository
If you don't trust the jar file (and why should you), instructions on how to compile it are below.
Usage:
- After installed, select the "Add Custom Header" tab and pick a
regular expression or a hard-coded value as shown below. Keep in
mind the regular expression makes sense only when using a macro, so
try a hard-coded value first.
- The defaults are OK for a JWT-like "Bearer" token
- Select Project Options -> Sessions
- Add a Session Handling rule
- Name it and select "Add", "Invoke a Burp Extension"
- Make sure the scope is correct! If you're just trying this out, select 'include all URLs' in the scope (not recommended for regular use).
- Select the "Add Bearer Token" option from the list in the following screen
You're now ready to go.
Run this to start a Python webserver on 127.0.0.1:5000:
FLASK_DEBUG=1 FLASK_APP=server.py flask run
The mock webserver will issue a "bearer token" on /login and
echo back the bearer token received on /stuff.
See the following screenshots for examples of how to interact with the mock server.
POST to /login:
Using the token when accessing /stuff:
-
Clone this repo
-
Burp -> Extender -> APIs
-
Select "Save interface files" from the bottom of the screen and select a temporary location (e.g.
/tmp/foo) -
Copy all
*.javafiles into theburpdirectory containing this repo source:cp /tmp/foo/burp/*.java burpAddCustomHeader/burp/ -
Compile the source:
cd burpAddCustomHeader mkdir build javac -d build burp/BurpExtender.java burp/BurpTab.java -
Create a JAR file:
cd build jar cvf ../out.jar . -
Install the
out.jarfile into Burp
To design the GUI I've used Netbeans. The BurpTab.form file should be enough to recreate it.
LifeProTip: hold the CTRL key when selecting the checkbox in the "Extensions" tab in Burp if you want to re-load an extension.