Burp Extensions - TokenJAR & ATOR

Burp extensions that help you deal with JWT access tokens.

Last updated 2 months ago

Was this helpful?

Burp Extensions - TokenJAR & ATOR

Burp extensions that help you deal with JWT access tokens.

Keep in mind to configure scanner and intruder attack in single thread (resource pool), access token renewal is sequential and it can not run in parallel. You can achieve access token renewal using native Session Rules and Macros in Burp but it might be challenging to set it right. I personally prefer ATOR for its quick setup. TokenJAR is sometimes desynchronised and it leans on active web user session (front-end activity).

TokenJar

This Burp extension does not support scanner so you can use it basically with Repeater and Intruder, (Proxy is not recommended). The benefit of TokenJar is that it silently listens requests coming from your web browser and stores/replace new tokens. Therefore you need to keep your web session active. In case you are testing REST API without WebUI (frontend) choose ATOR instead!

Just import the following configuration from a text file. Adjust URI path in imported regex rule, for example, /v1/session to instruct TokenJAR when to retrieve a new token.

TokenJar 2.2 [[true,"Authorization",true,false,false,false,false,"","\"Bearer \" + grp[1] + grp[2]","Authorization: Bearer ([a-zA-Z0-9_.-]+)?|\"token\":\"([a-zA-Z0-9_.-]+)?\"","/v1/session"]]

If you need to debug your configuration, turn on []debug checkbox and navigate to Burp Extension tab monitoring Output/Error consoles.

ATOR

ATOR stands for and this extension will help you with token handling in Repeater, Intruder, Scanner, Extension for your fully weaponisation. It might remind you ExtendedMacro Burp extension, you are right the roots are there!

How to create your first configuration:

ATOR triggers on error condition that you define, it's usually unauthorised HTTP response (40x). First send a HTTP request with expired or invalid JWT token (from Proxy history) to ATOR using Extensions -> ATOR -> Error condition

Now move to ATOR 1.Error condition tab

click on ADD condition button

Go back to Proxy history and find a login request that retrieves a valid JWT access token. Use context menu and send the request to ATOR using Extensions -> ATOR -> Obtain Token menu item.

Now switch to ATOR Obtain Token tab and select by mouse the valid access token from the HTTP response on the right.

click on From selection button
fill the Name: for variable name that refers to a valid new access_token we obtained that is going to be use in replacement step.
Finally click on Add button

Now move to ATOR 3.Error Condition Replacement tab.

Mark the access token from the HTTP request (on the left) by mouse and move to the right panel clicking on the FROM selection button.

Next fill the Name: field to name the variable that refers to Authorization Bearer value from the request we have selected by mouse. You can label it as you want, we are not going to use this placeholder.
Now, the most important part, assign replacement variable that replace the current invalid token with valid one. Click on Extraction name: drop down menu choosing access_token named variable we defined in the previous 2.Obtain token step.
Finally click on Add button to store new new configuration that should look like this.

Now you can move to ATOR 4. Preview tab, click on Test and verify Configuration tab as well.

I recommend to export your ATOR configuration in case you restart Burp and ATOR is gone.

PreviousJWT Tool NextUpload RCE

Last updated 2 months ago

Was this helpful?

TokenJar

Just import the following configuration from a text file. Adjust URI path in imported regex rule, for example, /v1/session to instruct TokenJAR when to retrieve a new token.

TokenJar 2.2 [[true,"Authorization",true,false,false,false,false,"","\"Bearer \" + grp[1] + grp[2]","Authorization: Bearer ([a-zA-Z0-9_.-]+)?|\"token\":\"([a-zA-Z0-9_.-]+)?\"","/v1/session"]]

If you need to debug your configuration, turn on []debug checkbox and navigate to Burp Extension tab monitoring Output/Error consoles.

ATOR

How to create your first configuration:

ATOR triggers on error condition that you define, it's usually unauthorised HTTP response (40x). First send a HTTP request with expired or invalid JWT token (from Proxy history) to ATOR using Extensions -> ATOR -> Error condition

Now move to ATOR 1.Error condition tab

click on ADD condition button

Go back to Proxy history and find a login request that retrieves a valid JWT access token. Use context menu and send the request to ATOR using Extensions -> ATOR -> Obtain Token menu item.

Now switch to ATOR Obtain Token tab and select by mouse the valid access token from the HTTP response on the right.

click on From selection button
fill the Name: for variable name that refers to a valid new access_token we obtained that is going to be use in replacement step.
Finally click on Add button

Now move to ATOR 3.Error Condition Replacement tab.

Mark the access token from the HTTP request (on the left) by mouse and move to the right panel clicking on the FROM selection button.

Next fill the Name: field to name the variable that refers to Authorization Bearer value from the request we have selected by mouse. You can label it as you want, we are not going to use this placeholder.
Now, the most important part, assign replacement variable that replace the current invalid token with valid one. Click on Extraction name: drop down menu choosing access_token named variable we defined in the previous 2.Obtain token step.
Finally click on Add button to store new new configuration that should look like this.

Now you can move to ATOR 4. Preview tab, click on Test and verify Configuration tab as well.

I recommend to export your ATOR configuration in case you restart Burp and ATOR is gone.