Authentication Token Obtain and Replace (ATOR) Burp Plugin: Fast and Reliable plugin to handle Complex Login Sequences — Part 2

This post will be a continuation of the previous post. Highly recommend you read the previous post.

Scenarios

We will cover the below scenarios for the plugin:

  1. Multi-step login — when there is more than one request for login (think email address on first page and password on second) — google login is a good example.
  2. Multi-token replacement — more than one token has to be replaced from say response 1 to request 2. (Tokens like accountId, accountToken, authToken, authSecret)
  3. Commonly used Regex Patterns — we also mention a few commonly used regex patterns

Sample Application Background

We picked a website listed on bugcrowd because this website had both multi-step login and multiple tokens to be replaced. This was a perfect example to demonstrate the ability of the plugin.

Request/Response and Parameters

The screenshot above shows about the requests for the login process:

  1. [# 1820] — create_session -> posts the email address (login screen 1)
  2. [# 1822] — present_credentials -> posts the password (login screen 2)
  3. [# 1823] — get_session_cookies -> post authenticated page which gets session cookies

Request 1: create_session

Request: email address is passed

Response: If email address is valid then an authToken [highlighted in pink] is retrieved. Let us call this token1

Request 2: present_credentials

Request: along with the password, the token1 parameter from Response 1 has to be passed in both: [highlighted in pink]

  • Header: authorization
  • Post body: authToken

Response: If the password and the tokens are valid the response will have two tokens:

  • authToken: let us call this export_token1 [highlighted in blue]
  • accountId: let us call this account_token [highlighted in green]

Request 3: get_session_cookies

Request: Two parameters from previous response has to be passed in JSON body:

  • authToken: this will be the same as export_token1 [highlighted in blue]
  • accountId: this will be the same as account_token [highlighted in green]

Response: If all parameters are valid: status code is 200 OK else status code is 401 Unauthorized

To summarize the above steps, the following replacements need to happen for a successful login:

  1. Request 2 present_credentials: AuthToken from response 1 must be replicated in both the header and body parameter [pink box]
  2. Request 3 get_session_cookies: authToken from response 2 must be replicated in the body [blue box]
  3. Request 3 get_session_cookies: accountId from response 2 must be replicated in the body [green box]

This step is critical during setup because it is very easy to miss a tiny tiny detail.

ATOR Setup

Now that we have understood the setup and the replacements to be done,

Let us follow the 4 step process:

  1. Identify the login sequence (from proxy or repeater) and send to ATOR
  2. Identify the Error Pattern (details in section below)
  3. Obtain the data from the response using regex (see sample regex values)
  4. Replace this data on the request (use same regex as step 3 along with the variable name)

Step 1: Identify the login sequence

Send both Request 1 (create_session)& Request 2 (present_credentials)to ATOR from Proxy or Repeater.

1st replacement:

Request 2 present_credentials: AuthToken from response 1 must be replicated in both the header and body parameter [pink box]

2nd replacement:

Request 3 get_session_cookies: authToken from response 2 must be replicated in the body [blue box]

Export this value so that it can be plugged into get_session_cookies whenever this request is made. We have only exported this value, the replacement will happen in step 4.

3rd replacement:

Request 3 get_session_cookies: accountId from response 2 must be replicated in the body [green box]

Export this value so that it can be plugged into get_session_cookies whenever this request is made. We have only exported this value, the replacement will happen in step 4.

Step 2: Identify error pattern

A 401 is returned whenever the session has expired.

Setup the error condition in ATOR

Step 3: Specify Regex pattern for replacement of token

Step 4: Replace this data on the request

We have combined steps 3 and 4 for ease of screenshots. Remember we had exported two values (export_token1 and account_token1) in step 1. Time to use regex and plug-in those values in the right place. Both of these tokens are export-values that will be stored in memory. The plugin will replace the tokens whenever an error condition occurs. More about this is explained in the In-Memory Replacement section.

Regex used:

In the section below we will explain more about regex and provide a few examples.

We have now setup the replacement rules for both the tokens. So all the 3 replacements are now taken care of.

Working of the Plugin

Let us trigger a request of get_session_cookies with invalid tokens (Request 141 — authToken and accountId) i.e. we have forced a logout. With the plugin now setup, let us look at the flow of requests in the Flow Extender.

Request 141 with invalid cookies triggered requests 142 and 143 in the background and tokens were exported. The request get_session_cookies is replayed (144) with the exported tokens and a 200 OK is received.

In-Memory Replacement

We have been talking about speed and in-memory replacement. The export-values (usually authtokens and accesstokens) as explained in Step 4 are replaced whenever an error condition occurs. These export-values are stored in memory and additional network requests are not sent every time an error condition occurs.

Let us see it in action now. We have triggered the same request with invalid tokens (with invalid accountId and authToken) twice (request 145, 146). No additional network requests were sent because the plugin had these export- values (accountId, authToken) in memory.

Regex

Regex can be confusing and scary to look at. Below is how we derived at the regex for the authToken in this example.

We have added a couple other examples

There will be a part 3 where we will talk about using ATOR for Anti-CSRF Tokens.

Authors

Ashwath Reddy (@ka3hk) — Principal Consultant at Synopsys

Manikandan Rajappan (www.linkedin.com/in/mani2raj) — Consultant at Synopsys

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store