Browser core PRT injection not working

[realspookysocks]

Trying to use the browsercore method of PRT injection isn't working for me. The bctest.py works fine, but when the login loads, it still prompts for a username and password. After a bit of troubleshooting, I was thinking maybe it has to do with the PRT without a nonce update mentioned in the article here: https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/.

Similarly, PRT injection methods like the one listed in this stealthbits article don't appear to be working.

Noteworthy though, the selenium PRT browserauth method in roadtools still works!

[dirkjanm]

Which browser were you using? I've read that newer versions of Chrome have native support for PRT based SSO so maybe it doesn't use browsercore anymore. The browsercore method does use a nonce so that shouldn't be the issue. The article you mention is indeed outdated and no longer a working method.

[realspookysocks]

I was using Chrome version 120.0.6099.225 (Official Build) (64-bit). From what I could tell it was using browsercore because after I tried it, the user popped up in the risky sign ins. So it seemed to me like it was attempting to submit the PRT, but that it wasn't happy with it.

That's good to know about the nonce for browsercore.py. Does the browsercore method still work for you? If so, I can do more troubleshooting.