synopsys-sig / ator-burp Goto Github PK

Is it possible to add regex support for "Start string" and "Stop string" while extract configuration?
For instance it is not possible to extract values from responses which just return tokens in its body.

Hi, i found a strange behavior while working on a project with ATOR.
Currently, I try to save a refresh token, to be used later to generate a new auth- and refresh-token, to refresh the authentication.
In the extraction window, I can easily select the auth token and press "From Selection" and everything works as intended.
But when trying to save the refresh token, one line below, I can press "From Selection" as often as I want, it wont be selected. And I dont really know why. No error or output is thrown, it simply wont work.

Here is the response its hanging on:

HTTP/1.1 200 OK
Date: Tue, 08 Dec 2020 00:00:00 GMT
Server: Apache
Strict-Transport-Security: max-age=6307000; includeSubDomains
Content-Type: application/json
Access-Control-Allow-Origin: *
Cache-Control: no-store
Pragma: no-cache
Connection: close
Content-Length: 926

{"access_token":"eyJraQWiOiJPTmNmYlBIS1A5bmdTbUlGeHk0cVN5WmxfX2xGeUs2Vk9fSEViZWpaNGRNIiwidHlwIjoiSldUIiwiYWxnIjoiRVMyNTYifQ.eyJhdWQiOiJUSFAtUHJvZCIsInN1YiI6IjEwMDAwOTJBMDEiLCJvcmciOiJDNEdPMTAwMDA5MiIsImlzcyI6IkM0Q1NTTyIsImZuYSI6IkEyIiwidHBlIjoiUEhUZ0lDSUFOIiwiZXhwIjoxNjA3NDI2MDAyLCJpYXQiOjE2MDc0MjU5ODcsImp0aSI6IjhzUklscnN6X0RfNExvalZmV0x6TTJUSWs3UFktSDVJa1BYbFpFTmhrWTgiLCJsbmEiOiJQRU5fQXJ6dF8yIn0.BOu7kWMwV83RZkN9yDwYmIwLJiI0iAU7CRPNG6QKMXvHcNDktlnUcA4F0feHAM_2G9ctqKSZ-hsbhPg0qUZ16w","refresh_token":"eyJraWQiOiJPTmNmYlBIS1A5bmdTbUlGeHk0cVN5WmxfX2xGeUs2Vk9fSEViZWpaNGRNIiwidHlwIjoiSldUIiwiYWxnIjoiRVMyNTYifQ.eyJvaWQiOiI4c1JJbHJzel9EXzRMb2pWZldMek0yVElrN1BZLUg1SWtQWGxaRU5oa1k4IiwiZXhwIjoxNjA3NDMxOTUxLCJqdGkiOiJmOEhHVXNhZ1pNcm9SOGVpejkzQzhtQmpqWnFfNzVrcHg2OHBvS2JtSlM4In0.dKvIsLRJZ2yDD8QR-4MO-otOiFrXYECPGtENdMJeJrlCbKdCKISGWS85z9PNN8-AoI1mnBkvJ4obSG4sYI6_tA","scope":"read write","token_type":"Bearer","expires_in":1500}

Hi,,I'm just trying your plugin but receive this error when loading the .jar into Burp

java.lang.ClassNotFoundException: burp.BurpExtender
at java.base/java.net.URLClassLoader.findClass(URLClassLoader.java:436)
at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:588)
at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:521)
at java.base/java.lang.Class.forName0(Native Method)
at java.base/java.lang.Class.forName(Class.java:416)
at burp.gbx.a(Unknown Source)
at burp.gbx.(Unknown Source)
at burp.gvv.a(Unknown Source)
at burp.elq.lambda$panelLoaded$0(Unknown Source)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:830)

This is my Java env:
java version "1.8.0_251"
Java(TM) SE Runtime Environment (build 1.8.0_251-b08)
Java HotSpot(TM) 64-Bit Server VM (build 25.251-b08, mixed mode)

This is my Burp version:
2020.4.1

I used the ator-v2.jar from ATOR-Burp/bin/latest/

It would be nice to have some protection for ATOR to prevent looping requests. This have happened to me in two cases, both with Bearer token:

1. I set up ATOR for new Bearer token update and for some reason I remove it in repeater to see if the endpoint requires the authentication - it starts looping as the regex can't be matched - this can be fixed by proper regex settings but it is not intuitive.
2. While testing IDOR I got message from server: 401 User "XXX is not associated with "YYY". And ATOR again keeps trying to update the Bearer but gets same response all over again and ends up in a loop.

Solution:
Count max retries for a one request. However I guess there can be some implementing challenges.

Hi! Is the replacement in dropdown menu still used, like showcased in the video? In my current UI it doesn't show up:

Wanted to confirm if it was removed or it's a problem with my UI :)

Hi @kashwathkumar Thank you for this awesome plugin. I haven't used it yet but I have read the medium article and watched the demo on YouTube and it looks pretty promising. 🎉

I have one feature request, though, that would make this even more awesome. While the UI is great for testing out one-off pentest engagements but in large organizations, security teams might need to create multiple configurations so that they can reuse them later on a per application basis.

I was thinking if would be possible for you create a feature for exporting ATOR configs as JSON/YAML files and then import them later. And be able to import multiple configs which trigger based on applications/url patterns e.g. JSON configs which also include scope array of URL patterns that shall indicate which config to use when the requests match a specific pattern i.e. a config may be reused for multiple hosts such as *.example.com and another config is useful for api.example.com/v1/*. Hope you get the idea. And it would be even better if you can expose this config import/export API via Extender so that other plugins can rely on your plugin to create sophisticated automation.

Do let me know what you guys think and kudos to both of you for all the hard work. Cheers 🍻

Hello synopsys-sig, may you refer to the characteristics of autorepeater and add some functions, such as selecting the request header and request body. When this feature is matched with a regular expression, it will automatically replace the desired request. This function is suitable for use To test unauthorized and unauthorized.

Hi,
when ATOR gets stuck in a loop (happens sometimes), the Logger window gets thousands and thousands of requests.
Would it be possible to have an option to limit the maximum log entries (much like Logger++)? Otherwise it seems that ATOR crashes the entire Burp instance...
Thanks for consideration:)

I am replacing 2 tokens in a single request, one is the session cookie, and the other one is a CSRF token from a custom header.
When fetching the tokens from selection, it extracts only one currently selected. If I select the second CSRF token, it will be replaced with the first session token, and the first session token won't be replaced.

Steps:

1. Error condition request requires 2 tokens, a session cookie, and CSRF in a custom header.
2. Obtain a session token with a login request and response with a set-cookie header.
3. Obtain a CSRF token with a second request that requires the session token, and respond with a custom header containing the CSRF token.
4. In the Condition request replacement, Select the session token in the cookie header and replace it with the first session token.
5. Then select the CSRF token from the custom header and replacing with the extracted CSRF token
6. Result - the final request is sent without replacing the session cookie, and the CSRF token header gets replaced with the session token.

Sorry that I cannot share a screenshot.

Attempting to pull the access token from the request below:

HTTP/2 200 OK
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Pragma: no-cache
Date: Fri, 19 Nov 2021 21:38:13 GMT
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Content-Type: application/json; charset=utf-8
Vary: Origin
Vary: X-Origin
Vary: Referer
Server: scaffolding on HTTPServer2
Content-Length: 1372
X-Xss-Protection: 0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"

{
  "access_token": "ya29.a0ARrdaM-xZscNDMYR6LZ5xSoAAPUIWkKd5-9Nd4mwBCoyBDhoAnGjmYUm9Y0FtQ49p3OXp2u-0_Dupw10N0uls6Vi75Blc10GdN2WoGufXEIciPWdoxAfkg-b-1FuvOlxGjCgouoOBC_NFMaZgwD5xmwMncuyJHoOFYPtmQ",
  "expires_in": 3599,
  "scope": "[REDACTED]"
  "id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjAzMmIyZWYzZDJjMjgwNjE1N2Y4YTliOWY0ZWY3Nzk4MzRmODVhZGEiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJhenAiOiIzMjU1NTk0MDU1OS5hcHBzLmdvb2dsZXVzZXJjb250ZW50LmNvbSIsImF1ZCI6IjMyNTU1OTQwNTU5LmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29tIiwic3ViIjoiMTAyOTA1MDgxMDg0MTQyMjk1MTA5IiwiaGQiOiJjZnBlbnRlc3QwMi5jb20iLCJlbWFpbCI6InJpZ2dpbnNAY2ZwZW50ZXN0MDIuY29tIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImF0X2hhc2giOiI1cnlvMjcwQ2xxTVpWWWtvUDJ3NVB3IiwiaWF0IjoxNjM3MzU3ODkzLCJleHAiOjE2MzczNjE0OTN9.Gr2yDCZ_OYnBd51VEyKX27H4wZGPwhbG9QgaSQUfrdgFSSqkkzPVtMw_WFPKFHlkpN27iwZskn9yOQc716PVjoXsDZ94kfZHpGqOQ05mVHc_3QJ4dVh2sNH-s3w8vftyXFYw4XyqpwICc9bCUT5spVIBqRuoLQyIrj_yXjpchtZ7nzMn5gvr2zJmTRuUXghGJmO04RI-mSdRCNEmJnB1nvKPyjWOznndjnYVTCYpsllTMcivpd9T-_bI67EInnJ_Zmq3vzDcUHgK_tRpatGY_GTjXGb5NpNQjxXeTNrNafKoumidh2ITe0naQ3cKUctRtSD9H-vcs-hRT2NJIuGrjA"
}

I have tried using the following setup guides for the ATOR plugin:
https://www.synopsys.com/blogs/software-security/ator-burp-plugin-login-sequences/
https://medium.com/@kashwathkumar/authentication-token-obtain-and-replace-ator-burp-plugin-fast-and-reliable-plugin-to-handle-b19e3621c6a7
https://www.youtube.com/watch?v=h1p2rvooTL0&t=6s&ab_channel=ashwathkumar

Also tried various filters to see if it was an issue with the pattern in the setup process. Additionally, I have deduced that in the Logger for the plugin that the Token auth Request is being made successfully, but the new access_token is not dropping into the Request. I attempted to use a longer string to the left and right of the From Selection filter, but still no success. Any suggestions would be most appreciated.

In the step:

3.Error Condition Replacement: Mark the trigger condition and also mark the place on request where replacement needs to taken (map the extraction)

In fact, I could not choose position in HTTP request Body anyway! So sad.

I could choose position in HTTP request headers only.

Is it designed?

Will you support this function as soon as possible?

Thanks.

When sending a request with modified response data, the content length in the request header should automatically be updated based on the length of data being sent.

This is causing issues when the data to be inserted in the next request is of variable length.

Let's consider the below scenario during configuration:
Request1 -> Response1 (data fetched of length 8 chars)
Request2 (sent with data of 8 chars) -> Result Response.
Here, the Content-Length is of 8 characters is saved in the config by default.

Now let's consider the above scenario with data fetched greater than 8 chars:
Request1 -> Response1 (data fetched of length 15 chars)
Request2 (sent with data of 15 chars) -> Error Result
Here only the first 8 characters among 15 were sent as the original Content-Length value saved in the config was 8 chars. Hence, the server is getting less than the expected data, resulting into error.

In the below example, due to content length issue, the end "} is being truncated by ATOR and not being sent to server (even if it is shown in logger):

(got to know the actual value being sent in fiddler as logger was showing that expected data is being sent)

Expected Request Data to be sent by ATOR:

I'm working on a web application, which takes zip-files in the POST body.

I noticed ATOR (2.1.0 from the burp app store) wrongfully replaces a number of non-printable characters in the binary blob, which results in unreadable files.

For example 0x96, 0x86, 0x90, 0x92, 0x9a, 0x89, 0x8b, 0x9e, 0x99, 0x93, 0x88, 0x87 or 0x8f all become 0x3f, after being sent by the repeater and processed by ATOR.
The plugin is loaded with the default configuration, thus the request worked in the proxy, but fails through the repeater for me.

Unfortunately I can't share the web application or uploaded document, due to an NDA, but the issue should be reproducible with any POST w/ binary data including hex values as noted above.