Skip to content

Releases: worldtreeboy/burp-session-share

v1.1.1 — JWT Scanner Fix

19 Feb 16:08
@worldtreeboy worldtreeboy
v1.1.1
f834af2

Choose a tag to compare

View all tags
v1.1.1 — JWT Scanner Fix Latest
Latest

Fix

  • JWT Scanner false positive: The passive JWT scanner was flagging "JWT Missing Expiry Claim" on non-JWT base64-encoded JSON data (cookies, tracking tokens, etc.) that happened to match the JWT regex pattern. Now validates the decoded header has an alg field (required by JWT spec) before running any analysis.
  • Added MIT license
Assets 3
Loading

v1.1.0 — Session Manager

19 Feb 14:49
@worldtreeboy worldtreeboy
v1.1.0
f0dbe6c

Choose a tag to compare

View all tags
v1.1.0 — Session Manager

What's New

Session Manager (Auto-Refresh)

Works independently of Leader/Follower — no server needed for solo use.

  • Login Macro — Configure a login request (URL, method, body, headers). When tokens expire, the extension replays it automatically.
  • JWT Expiry Pre-check — Before every outgoing request, checks the JWT exp claim. Refreshes proactively before expiry (configurable buffer, default 30s).
  • 401/403 Auto-refresh — On auth failure, triggers login macro on a background thread. All subsequent requests get fresh tokens.
  • Live UI — JWT expiry countdown with color coding, refresh counter, Test/Refresh Now buttons.

Why it matters

Long active scans no longer lose their session mid-scan. The extension keeps you authenticated automatically.

Full Changelog

v1.0.0...v1.1.0

Loading

v1.0.0

19 Feb 14:18
@worldtreeboy worldtreeboy
v1.0.0
3447208

Choose a tag to compare

View all tags
v1.0.0

Session Share v1.0.0

Burp Suite extension for sharing session tokens across a pentest team over LAN.

Session Sharing

  • Leader/Follower model — one person captures tokens, everyone stays in sync
  • Auto-captures cookies, JWTs, CSRF tokens, and custom headers
  • Embedded HTTP server — no external server needed
  • Configurable poll interval, target scope, and password authentication

JWT Scanner — 5 Passive Checks

  • Algorithm "none" detection
  • HS256 usage flagging
  • Missing expiry claim
  • Expired token accepted (confirmed via response code)
  • Sensitive data in JWT payload

JWT Scanner — 8 Active Checks

  • alg:none bypass — forges unsigned token
  • Empty signature — strips signature, keeps original alg
  • Corrupted signature — flips signature bytes
  • Expiry removal — removes exp claim
  • kid SQL injection — injects SQL payloads into kid field
  • kid path traversal — injects traversal paths into kid field
  • jku header injection — SSRF via Burp Collaborator
  • nbf bypass — sets not-before to future date

Installation

  1. Download session-share.jar below
  2. In Burp Suite: Extensions → Add → Java → select the JAR

Requirements

  • Burp Suite Professional or Community (Montoya API)
  • Java 17+
Loading