During a Pentest, we came across a scenario where the application was sending a token in response which will be used in the next request so that it can prevent request replay. On top of that, we can’t use macros to send requests for tokens due to limitations.
To overcome this challenge, we developed a SRePlay, Burp Plugin to bypass Replay Protection which will extract the value of the token from the last response and automatically update the future request with the new token on the fly resulting in Request Replay Protection bypass.
For this demo, we’ll be using SRePlay Demo App (thanks to M. Zeeshan) where we have implemented the simple Replay Protection for a demo by sending token in response for the next request.
Requirements and Setup
SRePlay - Download latest build from GitHub Release
Apache / Xampp / Lampp to run PHP Demo code, I am using xampp docker and the setup is as follow
// Pull xampp docker $ docker pull tomsik68/xampp // Run docker container with PHP Demo code (~/Demo/SRePlay is demo app) $ docker run --name myXampp -p 41061:22 -p 41062:80 -d -v ~/Demo/SRePlay:/www tomsik68/xampp
Hence, we can access the web app via a browser on http://localhost:41062/www/.
Original Request and Response
In this case, the application is sending a token in response which is being used in the next request to perform search operation at the backend and the application expires the token once used. If we send a request with the same old token, the application will throw an Invalid Token error.
Now, let’s observe this request in repeater and you will see that we can’t repeat the request until we update the token from the last response.
The SRePlay configuration is as below
Host URLwhich is
http://localhost:41062/www/in our case
Response parameter nameto extract new token i-e
Request parameter nameto replace a new token i-e
Parameter Initial Valuefrom last response i-e
SRePlay in Action
Now that we have started the SRePlay with the required info and also selected all Burp tools like Repeater, Intruder and Scanner so we can repeat requests in Repeater, Intruder and Scanner. But for Intruder and Scanner, we have to use a single thread at a time.
Likewise, we can brute force or scan parameters on this request using Intruder too.