Ator – Authentication Token Obtain and Replace Extender

The plugin is created to help automated scanning using Burp in the following scenarios:

Access/Refresh token Token replacement in XML,JSON body Token replacement in cookies
The above can be achieved using complex macro, session rules or Custom Extender in some scenarios. The rules become tricky and do not work in scenarios where the replacement text is either JSON, XML.

Key advantages:

We have also achieved in-memory token replacement to avoid duplicate login requests like in both custom extender, macros/session rules. Easy UX to help obtain data (from response) and replace data (in requests) using regex. This helps achieve complex scenarios where response body is JSON, XML and the request text is also JSON, XML, form data etc. Scan speed – the scan speed increases considerably because there are no extra login requests. There is something called the “Trigger Request” which is the error condition (also includes regex) when the login requests are triggered. The error condition can include (response code = 401 and body contains “Unauthorized request”)

The inspiration for the plugin is from ExtendedMacro plugin:

BlogsAuthentication Token Obtain and Replace (ATOR) Burp Plugin – Part1 – Single step login sequence and single token extractionAuthentication Token Obtain and Replace (ATOR) Burp Plugin – Part2 – Multi step login sequence and multiple extraction Getting Started Install Java and Maven Clone the repository Run the “mvn clean install” command in cloned repo of where pom.xml is present Take the generated jar with dependencies from the

Read more

Explore the site

More from the blog

Latest News