Background

During a Pentest, we came across a scenario where the application was sending a token in response which will be used in the next request so that it can prevent request replay. On top of that, we can’t use macros to send requests for tokens due to limitations.

To overcome this challenge, we developed a SRePlay, Burp Plugin to bypass Replay Protection which will extract the value of the token from the last response and automatically update the future request with the new token on the fly resulting in Request Replay Protection bypass.

Demo Application

For this demo, we’ll be using SRePlay Demo App (thanks to M. Zeeshan) where we have implemented the simple Replay Protection for a demo by sending token in response for the next request.

Requirements and Setup

  • Burpsuite

  • SRePlay - Download latest build from GitHub Release

  • Apache / Xampp / Lampp to run PHP Demo code, I am using xampp docker and the setup is as follow

    // Pull xampp docker
$ docker pull tomsik68/xampp
  
// Run docker container with PHP Demo code (~/Demo/SRePlay is demo app)
$ docker run --name myXampp -p 41061:22 -p 41062:80 -d -v ~/Demo/SRePlay:/www tomsik68/xampp

    Hence, we can access the web app via a browser on http://localhost:41062/www/.

Original Request and Response

In this case, the application is sending a token in response which is being used in the next request to perform search operation at the backend and the application expires the token once used. If we send a request with the same old token, the application will throw an Invalid Token error.

Now, let’s observe this request in repeater and you will see that we can’t repeat the request until we update the token from the last response.

SRePlay Configuration

The SRePlay configuration is as below

  • Provide Host URL which is http://localhost:41062/www/ in our case
  • Provide Response parameter name to extract new token i-e token
  • Provide Request parameter name to replace a new token i-e csrf_token
  • Provide Parameter Initial Value from last response i-e MUZrNktvSHlGaGtUYU82bTNmbkMwbXZBUUlQSU9rajA=
  • Press Start SRePlay

SRePlay in Action

Now that we have started the SRePlay with the required info and also selected all Burp tools like Repeater, Intruder and Scanner so we can repeat requests in Repeater, Intruder and Scanner. But for Intruder and Scanner, we have to use a single thread at a time.

Likewise, we can brute force or scan parameters on this request using Intruder too.