ator-burp's People
Forkers
chaos-monkey-island bbhunter aloksaurabh peterg75 lolici123 portswigger mmg1 polling-repo-continua mureinik manikandanrkdn 0p71mu5 inosec2 manikandan-raj parmaviolet 3rd3yetechguy saurabhsam96216 go-bi aditi-sharma27 fostane evcuq4hggjd74lhz saikrishnameda248 haxormad di55er citizenjosh kovacs-levent masahiro1970ator-burp's Issues
Regex for "Extraction configuration"
Is it possible to add regex support for "Start string" and "Stop string" while extract configuration?
For instance it is not possible to extract values from responses which just return tokens in its body.
"From Selection" not working every time
Hi, i found a strange behavior while working on a project with ATOR.
Currently, I try to save a refresh token, to be used later to generate a new auth- and refresh-token, to refresh the authentication.
In the extraction window, I can easily select the auth token and press "From Selection" and everything works as intended.
But when trying to save the refresh token, one line below, I can press "From Selection" as often as I want, it wont be selected. And I dont really know why. No error or output is thrown, it simply wont work.
Here is the response its hanging on:
HTTP/1.1 200 OK
Date: Tue, 08 Dec 2020 00:00:00 GMT
Server: Apache
Strict-Transport-Security: max-age=6307000; includeSubDomains
Content-Type: application/json
Access-Control-Allow-Origin: *
Cache-Control: no-store
Pragma: no-cache
Connection: close
Content-Length: 926
{"access_token":"eyJraQWiOiJPTmNmYlBIS1A5bmdTbUlGeHk0cVN5WmxfX2xGeUs2Vk9fSEViZWpaNGRNIiwidHlwIjoiSldUIiwiYWxnIjoiRVMyNTYifQ.eyJhdWQiOiJUSFAtUHJvZCIsInN1YiI6IjEwMDAwOTJBMDEiLCJvcmciOiJDNEdPMTAwMDA5MiIsImlzcyI6IkM0Q1NTTyIsImZuYSI6IkEyIiwidHBlIjoiUEhUZ0lDSUFOIiwiZXhwIjoxNjA3NDI2MDAyLCJpYXQiOjE2MDc0MjU5ODcsImp0aSI6IjhzUklscnN6X0RfNExvalZmV0x6TTJUSWs3UFktSDVJa1BYbFpFTmhrWTgiLCJsbmEiOiJQRU5fQXJ6dF8yIn0.BOu7kWMwV83RZkN9yDwYmIwLJiI0iAU7CRPNG6QKMXvHcNDktlnUcA4F0feHAM_2G9ctqKSZ-hsbhPg0qUZ16w","refresh_token":"eyJraWQiOiJPTmNmYlBIS1A5bmdTbUlGeHk0cVN5WmxfX2xGeUs2Vk9fSEViZWpaNGRNIiwidHlwIjoiSldUIiwiYWxnIjoiRVMyNTYifQ.eyJvaWQiOiI4c1JJbHJzel9EXzRMb2pWZldMek0yVElrN1BZLUg1SWtQWGxaRU5oa1k4IiwiZXhwIjoxNjA3NDMxOTUxLCJqdGkiOiJmOEhHVXNhZ1pNcm9SOGVpejkzQzhtQmpqWnFfNzVrcHg2OHBvS2JtSlM4In0.dKvIsLRJZ2yDD8QR-4MO-otOiFrXYECPGtENdMJeJrlCbKdCKISGWS85z9PNN8-AoI1mnBkvJ4obSG4sYI6_tA","scope":"read write","token_type":"Bearer","expires_in":1500}
ClassNotFoundException: burp.BurpExtender
Hi,,I'm just trying your plugin but receive this error when loading the .jar into Burp
java.lang.ClassNotFoundException: burp.BurpExtender
at java.base/java.net.URLClassLoader.findClass(URLClassLoader.java:436)
at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:588)
at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:521)
at java.base/java.lang.Class.forName0(Native Method)
at java.base/java.lang.Class.forName(Class.java:416)
at burp.gbx.a(Unknown Source)
at burp.gbx.(Unknown Source)
at burp.gvv.a(Unknown Source)
at burp.elq.lambda$panelLoaded$0(Unknown Source)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:830)
This is my Java env:
java version "1.8.0_251"
Java(TM) SE Runtime Environment (build 1.8.0_251-b08)
Java HotSpot(TM) 64-Bit Server VM (build 25.251-b08, mixed mode)
This is my Burp version:
2020.4.1
I used the ator-v2.jar from ATOR-Burp/bin/latest/
ATOR looping
It would be nice to have some protection for ATOR to prevent looping requests. This have happened to me in two cases, both with Bearer token:
- I set up ATOR for new Bearer token update and for some reason I remove it in repeater to see if the endpoint requires the authentication - it starts looping as the regex can't be matched - this can be fixed by proper regex settings but it is not intuitive.
- While testing IDOR I got message from server: 401 User "XXX is not associated with "YYY". And ATOR again keeps trying to update the Bearer but gets same response all over again and ends up in a loop.
Solution:
Count max retries for a one request. However I guess there can be some implementing challenges.
Replacement IN box
Thank you!
Hi @kashwathkumar Thank you for this awesome plugin. I haven't used it yet but I have read the medium article and watched the demo on YouTube and it looks pretty promising. ๐
I have one feature request, though, that would make this even more awesome. While the UI is great for testing out one-off pentest engagements but in large organizations, security teams might need to create multiple configurations so that they can reuse them later on a per application basis.
I was thinking if would be possible for you create a feature for exporting ATOR configs as JSON/YAML files and then import them later. And be able to import multiple configs which trigger based on applications/url patterns e.g. JSON configs which also include scope
array of URL patterns that shall indicate which config to use when the requests match a specific pattern i.e. a config may be reused for multiple hosts such as *.example.com
and another config is useful for api.example.com/v1/*
. Hope you get the idea. And it would be even better if you can expose this config import/export API via Extender so that other plugins can rely on your plugin to create sophisticated automation.
Do let me know what you guys think and kudos to both of you for all the hard work. Cheers ๐ป
Feature Request
Hello synopsys-sig, may you refer to the characteristics of autorepeater and add some functions, such as selecting the request header and request body. When this feature is matched with a regular expression, it will automatically replace the desired request. This function is suitable for use To test unauthorized and unauthorized.
Limiting the Logger
Hi,
when ATOR gets stuck in a loop (happens sometimes), the Logger window gets thousands and thousands of requests.
Would it be possible to have an option to limit the maximum log entries (much like Logger++)? Otherwise it seems that ATOR crashes the entire Burp instance...
Thanks for consideration:)
Failure to replace 2 tokens in the condition replacement
I am replacing 2 tokens in a single request, one is the session cookie, and the other one is a CSRF token from a custom header.
When fetching the tokens from selection, it extracts only one currently selected. If I select the second CSRF token, it will be replaced with the first session token, and the first session token won't be replaced.
Steps:
- Error condition request requires 2 tokens, a session cookie, and CSRF in a custom header.
- Obtain a session token with a login request and response with a set-cookie header.
- Obtain a CSRF token with a second request that requires the session token, and respond with a custom header containing the CSRF token.
- In the Condition request replacement, Select the session token in the cookie header and replace it with the first session token.
- Then select the CSRF token from the custom header and replacing with the extracted CSRF token
- Result - the final request is sent without replacing the session cookie, and the CSRF token header gets replaced with the session token.
Sorry that I cannot share a screenshot.
Add Timestamp in ATOR Logger
ATOR failing to pull Access Token and replace Auth. Bearer in Request.
Attempting to pull the access token from the request below:
HTTP/2 200 OK
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Pragma: no-cache
Date: Fri, 19 Nov 2021 21:38:13 GMT
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Content-Type: application/json; charset=utf-8
Vary: Origin
Vary: X-Origin
Vary: Referer
Server: scaffolding on HTTPServer2
Content-Length: 1372
X-Xss-Protection: 0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
{
"access_token": "ya29.a0ARrdaM-xZscNDMYR6LZ5xSoAAPUIWkKd5-9Nd4mwBCoyBDhoAnGjmYUm9Y0FtQ49p3OXp2u-0_Dupw10N0uls6Vi75Blc10GdN2WoGufXEIciPWdoxAfkg-b-1FuvOlxGjCgouoOBC_NFMaZgwD5xmwMncuyJHoOFYPtmQ",
"expires_in": 3599,
"scope": "[REDACTED]"
"id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjAzMmIyZWYzZDJjMjgwNjE1N2Y4YTliOWY0ZWY3Nzk4MzRmODVhZGEiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJhenAiOiIzMjU1NTk0MDU1OS5hcHBzLmdvb2dsZXVzZXJjb250ZW50LmNvbSIsImF1ZCI6IjMyNTU1OTQwNTU5LmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29tIiwic3ViIjoiMTAyOTA1MDgxMDg0MTQyMjk1MTA5IiwiaGQiOiJjZnBlbnRlc3QwMi5jb20iLCJlbWFpbCI6InJpZ2dpbnNAY2ZwZW50ZXN0MDIuY29tIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImF0X2hhc2giOiI1cnlvMjcwQ2xxTVpWWWtvUDJ3NVB3IiwiaWF0IjoxNjM3MzU3ODkzLCJleHAiOjE2MzczNjE0OTN9.Gr2yDCZ_OYnBd51VEyKX27H4wZGPwhbG9QgaSQUfrdgFSSqkkzPVtMw_WFPKFHlkpN27iwZskn9yOQc716PVjoXsDZ94kfZHpGqOQ05mVHc_3QJ4dVh2sNH-s3w8vftyXFYw4XyqpwICc9bCUT5spVIBqRuoLQyIrj_yXjpchtZ7nzMn5gvr2zJmTRuUXghGJmO04RI-mSdRCNEmJnB1nvKPyjWOznndjnYVTCYpsllTMcivpd9T-_bI67EInnJ_Zmq3vzDcUHgK_tRpatGY_GTjXGb5NpNQjxXeTNrNafKoumidh2ITe0naQ3cKUctRtSD9H-vcs-hRT2NJIuGrjA"
}
I have tried using the following setup guides for the ATOR plugin:
https://www.synopsys.com/blogs/software-security/ator-burp-plugin-login-sequences/
https://medium.com/@kashwathkumar/authentication-token-obtain-and-replace-ator-burp-plugin-fast-and-reliable-plugin-to-handle-b19e3621c6a7
https://www.youtube.com/watch?v=h1p2rvooTL0&t=6s&ab_channel=ashwathkumar
Also tried various filters to see if it was an issue with the pattern in the setup process. Additionally, I have deduced that in the Logger for the plugin that the Token auth Request is being made successfully, but the new access_token is not dropping into the Request. I attempted to use a longer string to the left and right of the From Selection filter, but still no success. Any suggestions would be most appreciated.
"Error Condition Replacement" cannot suppose request body
In the step:
3.Error Condition Replacement: Mark the trigger condition and also mark the place on request where replacement needs to taken (map the extraction)
In fact, I could not choose position in HTTP request Body anyway! So sad.
I could choose position in HTTP request headers only.
Is it designed?
Will you support this function as soon as possible?
Thanks.
Auto update Content-Length header value while sending request from ATOR
When sending a request with modified response data, the content length in the request header should automatically be updated based on the length of data being sent.
This is causing issues when the data to be inserted in the next request is of variable length.
Let's consider the below scenario during configuration:
Request1 -> Response1 (data fetched of length 8 chars)
Request2 (sent with data of 8 chars) -> Result Response.
Here, the Content-Length is of 8 characters is saved in the config by default.
Now let's consider the above scenario with data fetched greater than 8 chars:
Request1 -> Response1 (data fetched of length 15 chars)
Request2 (sent with data of 15 chars) -> Error Result
Here only the first 8 characters among 15 were sent as the original Content-Length value saved in the config was 8 chars. Hence, the server is getting less than the expected data, resulting into error.
In the below example, due to content length issue, the end "}
is being truncated by ATOR and not being sent to server (even if it is shown in logger):
(got to know the actual value being sent in fiddler as logger was showing that expected data is being sent)
Binary POST body wrongfully manipulated
I'm working on a web application, which takes zip-files in the POST body.
I noticed ATOR (2.1.0 from the burp app store) wrongfully replaces a number of non-printable characters in the binary blob, which results in unreadable files.
For example 0x96, 0x86, 0x90, 0x92, 0x9a, 0x89, 0x8b, 0x9e, 0x99, 0x93, 0x88, 0x87 or 0x8f all become 0x3f, after being sent by the repeater and processed by ATOR.
The plugin is loaded with the default configuration, thus the request worked in the proxy, but fails through the repeater for me.
Unfortunately I can't share the web application or uploaded document, due to an NDA, but the issue should be reproducible with any POST w/ binary data including hex values as noted above.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.