ATOR – Authentication Token Obtain and Replace – Burp Suite plug-in for complex session mechanisms

ATOR plug-in scheme

Come on burp suite tool has a built-in session mechanism, more and more often I meet situations where i just can not cope with keeping it active. This is most often caused by one of the following factors:

  • Dynamic CSRF tokens hidden in different places of the request;
  • JavaScript-based applications (React, Angular) and APIs that use authentication tokens;
  • specific header values instead of cookies (e.g. JWT);
  • use of dual tokens (access/refresh tokens), mainly in mobile applications;

Recently, I came up with a great plugin that makes it much easier to carry out automatic scans. I tested it, among other things, in a scenario with a JWT token (OAuth 2.0 / bearer token), which changes every few minutes and with a clear conscience I can recommend.

The quick start guide looks like this:

  • We catch the request responsible for logging in (in response to which we get the bearer token) and send it to the ATORa.
Send an existing login response to ATOR
  • We select from the answer a string that interests us and give it a name.
Extract access token from response
Extract access token from response
  1. We provide how the plugin can identify that the session has been "killed".
Set error type as status code = 401
Set error type as status code = 401
  1. We indicate the formula by which our session token is to be replaced in the new requests. We use regular expressions here. It is worth testing them in advance on the regexr website.
Set exchange area
Set exchange area
  • If you use additional plug-ins for automatic scanning, please select this in the ATORa settings.
Set extender

The plugin can be found on Githubie synopsys

Chcesz wiedzieć więcej?

Zapisz się i bądź informowany o nowych postach (zero spamu!). Dodatkowo otrzymasz, moją prywatną listę 15 najbardziej przydatnych narzędzi (wraz z krótkim opisem), których używam przy testach penetracyjnych.

Nigdy nie podam, nie wymienię ani nie sprzedam Twojego adresu e-mail. W każdej chwili możesz zrezygnować z subskrypcji.

Bookmark the permalink.

Share your opinion about the article.