Allow multiple JWT tokens on different locations

[gl4nce]

Would be a nice feature, if JWTs in multiple locations can appear with an option to select one for testing.

I'm currently testing an website which is sending two JWTs (access and refresh token) on the same time.

Example request:

GET /api/v1/getpage HTTP/1.1
Host: xyz
Cookie: refresh=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...
Connection: close

As you can see, there are JWTs in cookie and authorization header. jwt_tool doesn't work in this case and quits with: Too many tokens! JWT in more than one place: cookie, header, POST data

[OXERY]

If anybody stumbles upon this (after all this time) - one can use the Burp Addon ReShaper with the "Then"-Action Set-Value, e.g. using a cookie as source and set a header with the identical value. Match/Replace is also possible.

[gl4nce]

If anybody stumbles upon this (after all this time) - one can use the Burp Addon ReShaper with the "Then"-Action Set-Value, e.g. using a cookie as source and set a header with the identical value. Match/Replace is also possible.

Thanks for this suggestion. Nevertheless, linking to login protected website isn't very helpful.

[OXERY]

@gl4nce Thanks, I updated the link. Could you please also change/remove the link in your quote? Thanks!