Introduction

Performing a Burp Suite scan towards an API will usually require authentication using a valid token during the entire scan process. As the scan is a continuous process, the authorization token might get expired during the scan and cause the scan to return invalid results.

To overcome this issue, the Synopsis team has been developing the Authentication Token Obtain and Replace (ATOR) Burp Suite extension that automates the process of fetching a valid token each time it is expired and replacing it with the newly generated one.After sending a request to the ATOR extension, it can be used through the following steps:
1. In the Extraction Configuration tab, set the start and stop strings to extract the access token from the selected response
2. Provide a name to that variable and add the pattern string
3. Specify the regex pattern to replace in the request, including the status code or message
4. In the Token List tab, specify the new data that will be used in the upcoming requests

Use Cases

The extension comes into play in the following possible scenarios, which mostly exist in modern web application testing:

• Switching CSRF tokens
• Regenerating authentication tokens on JavaScript-based apps (React, Angular) and APIs
• Replacing header values instead of cookies (JWT)
• Using double tokens (access/refresh tokens)

Installation

The extension can be installed using the BApp store (Burp Suite app store).
The extension’s source code can be downloaded via the Git repository.

References

• Authentication Token Obtain and Replace (ATOR) – Synopsis Blog
• Authentication Token Obtain and Replace – Git Repository