Tokens

Token BFAs involves systematically trying different token values to guess or brute force valid tokens for authentication. If tokens are weak, predictable, or lack proper rate-limiting, attackers can automate these attempts to gain unauthorized access to an API or system by guessing valid tokens.

The below example is based on TCM's Practical API Hacking course.

We can obtain a valid token (Figure 1) and then use Burp's Sequencer to analyze it (Figure 2) and/or Burp's Decoder to decipher its value (Figure 3). In case there is a predictable pattern, we can create a script for generating more tokens and then attempt a BFA with them.

Figure 1: Obtaining a token as admin.

Figure 2: Performing token analysis with Burp's Sequencer.

Figure 3: Decoding the token with Burp's Decoder.