search

RhinoSecurityLabs / IPRotate_Burp_Extension

Extension for Burp Suite which uses AWS API Gateway to rotate your IP on every request.
814 stars 144 forks source link

The security token included in the request is invalid #39

Closed YuriiSrohyi closed 3 years ago

YuriiSrohyi commented 3 years ago

When I'm trying to enable IPRotate, enable button is not working, and this message pops in trace

Traceback (most recent call last):
  File "/Users/kendirom/.BurpSuite/bapps/2eb2b1cb1cf34cc79cda36f0f9019874/IPRotate.py", line 202, in enableGateway
    self.startAPIGateway()
  File "/Users/kendirom/.BurpSuite/bapps/2eb2b1cb1cf34cc79cda36f0f9019874/IPRotate.py", line 76, in startAPIGateway
    self.create_api_response = self.awsclient.create_rest_api(
  File "/Users/kendirom/.BurpSuite/bapps/2eb2b1cb1cf34cc79cda36f0f9019874/BappModules/botocore/client.py", line 357, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/Users/kendirom/.BurpSuite/bapps/2eb2b1cb1cf34cc79cda36f0f9019874/BappModules/botocore/client.py", line 661, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (UnrecognizedClientException) when calling the CreateRestApi operation: The security token included in the request is invalid.

Although I'm passing the right keys:

image image

Not sure what I'm doing wrong. Here are extender options: image

Tried with python 2.7 but had no success also

DaveYesland commented 3 years ago

The Access Key and Secret key should be the AWS access key id and access key secret to a role or user in the AWS account which has full permissions for API Gateway, something like: AKIAIOSFODNN7EXAMPLE.

IP rotate will setup all the API Gateways needed there should be no need to do that manually.

https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys

YuriiSrohyi commented 3 years ago

Thanks! That helped