Authentication Token Obtain and Replace (ATOR) Burp plugin to handle complex login sequences

Automated scanners require a constant flow of requests, and most tools have built-in session-handling logic. But automated scanning / session handling for web applications is tricky these days, especially because of the following vectors:

• CSRF tokens
• JavaScript-based apps (React, Angular) and APIs using authentication tokens
• Header values instead of cookies (JWT)
• Use of double tokens (access/refresh tokens), mostly for mobile apps

Existing solutions

Burp sessions and macros

Burp has sessions, macros, and the ability to invoke extenders, which help with CSRF tokens (most scenarios), cookie-based session handling, and a few API-based scenarios. Shortcomings:

• Lack of support. Not all scenarios are supported. Cookies can be replaced in most scenarios. XML and JSON body replacement is not supported.
• Difficult to use. It’s hard to set up in complex scenarios.
• Slow. The speed drops because of duplicate requests (especially in header replacement scenarios).

Custom macro extender

The ExtendedMacro plugin (GitHub) provides a UI-based workflow to select and replace tokens. The UI is great and is a superb start to solve a tough problem. But the plugin has a few bugs that make it unreliable. It’s also slow because it sends multiple login requests. Shortcomings:

• Difficult to set up. It’s hard to select the error condition that triggers the login sequence. Instead, every request triggers the login sequence.
• Very slow. The speed is reduced because of repeated login requests for every request.
• Unreliable. Sometimes the replacement of tokens doesn’t work.

Our solution: ATOR Burp plugin

We wanted to build a Burp plugin supporting complex login sequences with the following features:

• Easy to use. The plugin should be easy to use and intuitive.
• Support for complex scenarios. The plugin should be generic so that it could support complex scenarios.
• Fast. The plugin should avoid duplicate requests and, instead, change parameters in memory wherever possible.

To achieve the above, we built on the great work done by Fruh (ExtendedMacro) to create the Authentication Token Obtain and Replace (ATOR) plugin. Our work can be summarized in the following points:

• Ease of use. ExtendedMacro was already easy to use, but we added another tab to handle error conditions. We also wrote blog posts about how to handle complex scenarios.
• Bugs. We made ExtendedMacro more reliable. Once we fixed the bugs, we immediately started seeing value.
• Speed. We used in-memory replacement of tokens instead of sending extra network traffic.
• Support for complex scenarios. We used regex for both figuring out error conditions and replacing tokens. Using regex makes it super easy to handle replacement in JSON, XML, the body, cookies, and URLs.
• Configurations. We added In-Scope and Targets options. The Targets option is for content discovery and simulates manual testing options provided by Burp.

Let’s break down how the ATOR plugin works using an example. Say an access token is valid for 30 minutes and then expires (after which a new access token has to be fetched). We have three scenarios:

1. Token is valid (Minute 0–29). ATOR sees that the request is valid and forwards the request to the server.

2. Token is expired (Minute 30). ATOR sees that the error condition is met. It triggers the login sequence, fetches a new access token (AT2), and saves the new access token in memory.

3. New access token needs to be used (Minute 31–59). ATOR replaces the token in request headers with AT2 till the error condition is met again. At that time—in this case, on Minute 60—ATOR goes back to Step 2 to fetch a new access token to store in memory.

Using ATOR

Follow this four-step process for any application or API:

1. Identify the login sequence (from the proxy or repeater) and configure it in ATOR.
2. Specify the error pattern.
3. Specify the regex pattern to replace in the request.
4. Specify the new data to use in the request.