Introduction

Performing a Burp Suite scan towards an API will usually require authentication using a valid token during the entire scan process. Since the scan runs continuously, the authorization token can expire during the process, causing the scan to produce invalid results.

To address this issue, the Synopsis team developed the ATOR (Authentication Token Obtain and Replace) Burp Suite extension, which automatically fetches a new token when the previous one expires. After sending a request to ATOR, you can use it by following these steps:
1. In the Extraction Configuration tab, set the start and stop strings to extract the access token from the selected response
2. Provide a name to that variable and add the pattern string
3. Specify the regex pattern to replace in the request, including the status code or message
4. In the Token List tab, specify the new data that will be used in the upcoming requests

Use Cases

The extension comes into play in the following possible scenarios, which mostly exist in modern web application testing:

• Switching CSRF tokens
• Regenerating authentication tokens on JavaScript-based apps (React, Angular) and APIs
• Replacing header values instead of cookies (JWT)
• Using double tokens (access/refresh tokens)

Installation

Install the extension from the BApp Store, or download its source code from the Git repository.

References

• Authentication Token Obtain and Replace (ATOR) – Synopsis Blog
• Authentication Token Obtain and Replace – Git Repository