HIGH token replay

Token Replay Attack

Test your API against token replay

How Token Replay Works

Token replay is a straightforward yet effective attack where an attacker captures a valid authentication token and reuses it to gain unauthorized access. The attack exploits systems that don't properly validate token freshness or implement replay protection mechanisms.

The attack typically follows these steps:

  • Token capture - The attacker intercepts a valid token through network sniffing, malware, or by extracting it from compromised devices
  • Storage - The captured token is saved for later use
  • Replay - The attacker presents the stored token to the target system, impersonating the legitimate user
  • Access - If the system accepts the token without validating its freshness, the attacker gains the same privileges as the original token holder

This technique works because many systems only verify that a token is structurally valid and hasn't expired, but don't check whether it's being used in the expected context or timeframe.

Token Replay Against APIs

APIs are particularly vulnerable to token replay attacks due to their stateless nature and the way they handle authentication. Here's how attackers exploit APIs:

Intercepted API tokens - API tokens (JWTs, OAuth tokens, session cookies) are often transmitted over HTTPS, but can be captured through:

  • Man-in-the-middle attacks on compromised networks
  • Malware on client devices
  • Cross-site scripting (XSS) attacks that steal tokens from browser storage
  • Leaked token databases from data breaches

Common API replay scenarios:

  • Mobile app APIs - Tokens stored on devices can be extracted and reused
  • Third-party integrations - Compromised partner systems can replay tokens to access your API
  • Public APIs - Without proper rate limiting, attackers can replay tokens repeatedly
  • Microservices - Internal service-to-service tokens, if intercepted, can grant lateral movement

Real-world example: In 2019, a major video streaming service had tokens that remained valid for 90 days with no replay protection. Attackers who obtained tokens through phishing could watch content for months without detection.

Why APIs are attractive targets: API tokens often grant broader access than web session cookies, may have longer expiration times, and are frequently used in automated systems where unusual usage patterns are harder to detect.

Detection & Prevention

Detecting token replay requires monitoring for anomalous authentication patterns and implementing preventive controls.

Detection methods:

  • Geolocation anomalies - Same token used from geographically distant locations within impossible timeframes
  • Device fingerprinting - Same token presented from different device characteristics (user agent, IP, browser fingerprint)
  • Usage pattern analysis - Unusual access times or frequency compared to user's normal behavior
  • Concurrent session detection - Same token active from multiple locations simultaneously

Prevention techniques:

  • Short token lifetimes - Reduce the window of opportunity for replay (JWTs with 5-15 minute lifetimes)
  • Refresh token rotation - After each use, invalidate the previous refresh token (one-time use refresh tokens)
  • Token binding - Bind tokens to specific device characteristics or IP addresses
  • Contextual validation - Verify that token usage matches expected context (location, device, time of day)
  • Replay prevention tokens - Include nonce values or timestamps that must be validated
  • Network-level protections - Use mutual TLS for service-to-service authentication

Implementation example: A banking API implemented refresh token rotation and saw a 95% reduction in successful replay attacks within three months. When an attacker tried to reuse a captured token, the system detected the anomaly and immediately revoked all associated sessions.

middleBrick detection: middleBrick's API security scanner tests your endpoints for token replay vulnerabilities by attempting to reuse captured tokens across different sessions and validating whether your system properly detects and prevents such attacks. The scanner checks for proper token binding, expiration handling, and replay protection mechanisms, providing specific findings with remediation guidance.

Protect against token replay View all attack techniques

Frequently Asked Questions

How is token replay different from session hijacking?
Session hijacking typically refers to stealing an active session during a live connection, while token replay involves capturing a token and using it later. Token replay can occur even after the original session has ended, and the token may remain valid for extended periods. Token replay is often harder to detect because it can look like legitimate access from the system's perspective.
Can HTTPS prevent token replay attacks?
HTTPS prevents network-level interception of tokens in transit, but it doesn't prevent token replay entirely. Once a legitimate client receives a token over HTTPS, that token can still be replayed from the client device. Additionally, tokens can be captured through other means like XSS, malware, or from compromised servers. HTTPS is necessary but not sufficient for preventing token replay.