Ator : Authentication Token Obtain and Replace Extender
The plugin is created to help automated scanning using Burp in the following scenarios:
Access/Refresh token
Token replacement in XML,JSON body
Token replacement in cookies The above can be achieved using complex macro, session rules or Custom Extender in some scenarios. The rules become tricky and do not work in scenarios where the replacement text is either JSON, XML.
Key advantages:
We have also achieved in-memory token replacement to avoid duplicate login requests like in both custom extender, macros/session rules.
Easy UX to help obtain data (from response) and replace data (in requests) using regex. This helps achieve complex scenarios where response body is JSON, XML and the request text is also JSON, XML, form data etc.
Scan speed – the scan speed increases considerably because there are no extra login requests. There is something called the “Trigger Request” which is the error condition (also includes regex) when the login requests are triggered. The error condition can include (response code = 401 and body contains “Unauthorized request”)
Identify the Error Pattern (details in section below)
Obtain the data from the response using regex (see sample regex values)
Replace this data on the request (use same regex as step 3 along with the variable name)
Error Pattern:
Totally there are 4 different ways you can specify the error condition.
Status Code: 401, 400
Error in Body: give any text from the body content (Example: Access token expired)
Error in Header: give any text from header(Example: Unauthorized)
Free Form: use this to give multiple condition (st=400 && bd=Access token expired || hd=Unauthorized)
Regex with samples
Use Authorization: Bearer \w* to match Authorization: Bearer AXXFFPPNSUSSUSSNSUSN
Use Authorization: Bearer ([\w+_-.]*) to match Authorization: Bearer AXX-F+FPPNS.USSUSSNSUSN
Break down into end to end tests
Finding the Invalid request:
http://HOST:PORT/api/v1/exams/MQ==/ with invalid Bearer token.
Identifying Error Pattern:
The above request will give you 401, here error condition is Status Code = 401
Match regex with request data
Authorization: Bearer \w* – this regex will match access token which is passed.
Replacement – How to replace
Replace the matched text(step 3 regex) with extracted value (Extraction configuration discussed in below, say varibale name is “token”)
Authorization: Bearer token – extracted token will be replaced.
Usage with test application
Idea : Record the Tiredful application request in BURP, configure the ATOR extender, check whether token is replaced by ATOR.
Open the testing application in browser which you configured with BURP
Generate a token from http://HOST:PORT/handle-user-token/
Send the request http://HOST:PORT/api/v1/exams/MQ==/ by passing Authorization Beaer token(get it from above step)
Add the ATOR jar file as a extender in BURP
Right Click on the request(/handle-user-token) in Proxy history and send it to Authentication Token Optain and Replace Extender
Add the new entry in Extraction configuration by selecting the “access_token” value and give name as “token”(it may be any name) Note: For this application,one request is enough to generate a token.Token can also get generated after multiple requests
TRIGGER CONDITION:
Macro steps will get executed if the condition is matched.
After execution of steps, replace the incoming request by taking values from “Pattern” and “Replacement Area” if specified.
For our testing,
Error condition is 401(Status Code)
Pattern is “Authorization: Bearer \w*” (Specify the regex Pattern how you want to replace with extraction values)
Replacement Area is “Authentication: Bearer <NAME which you gave in STEP 4>”
Click on “Add” Button.
For this example, one replacement is enough to make the incoming request as valid but you can add mutiple replacement for a single condition.
Hit the invalid request from Repeater and check the req/res flows in either FLOW/Logger++
Invalid Bearer token(http://HOST:PORT/api/v1/exams/MQ==/) from Repeater makes the response as 401.
Extender will match this condition and start running the recorded steps, extract the “access_token”
Replace the access token(from step ii) in actual response(from Repeater) and makes this invalid request as valid.
In the repeater console, you see 200 OK response.
Do the Step7 again and check the flow
This time extender will not invoke the steps because existing token is valid and so it uses that.
Authors from Synopsys – Ashwath Reddy (@ka3hk) and Manikandan Rajappan (@rmanikdn)
License
This software is released by Synopsys under the MIT license.
Acknowledgments
https://github.com/FrUh/ExtendedMacro ExtendedMacro was a great start – we have modified the UI to handle more complex scenarios. We have also fixed bugs and improved speed by replacing tokens in memory.
UI Panel was splitted into 4 different configuration. Check out the code from v2 or use the executable from v2/bin.
Error Condition – Find the error condition req/res and add trigger condition [Can be statuscode/text in body content/text in header]. Multiple condition can also be added.
Obtain Token: Find all the req/res to get the token. It can be single or multiple request (do replacement accordingly)
Error Condition Replacement: Mark the trigger condition and also mark the place on request where replacement needs to taken (map the extraction)