1. Support Center
  2. BApp Store
  3. Authentication Token Obtain and Replace
Professional Community

Authentication Token Obtain and Replace

The plugin is created to help automated scanning using Burp in the following scenarios:

  1. Access/Refresh token
  2. Token replacement in XML,JSON body
  3. Token replacement in cookies
    The above can be achieved using complex macro, session rules or Custom Extender in some scenarios. The rules become tricky and do not work in scenarios where the replacement text is either JSON, XML.

Key advantages:

  1. We have also achieved in-memory token replacement to avoid duplicate login requests like in both custom extender, macros/session rules.
  2. Easy UX to help obtain data (from response) and replace data (in requests) using regex. This helps achieve complex scenarios where response body is JSON, XML and the request text is also JSON, XML, form data etc.
  3. Scan speed - the scan speed increases considerably because there are no extra login requests. There is something called the "Trigger Request" which is the error condition (also includes regex) when the login requests are triggered. The error condition can include (response code = 401 and body contains "Unauthorized request")

For more detailed usage instructions, please refer to the GitHub.

Author Synopsis-Sig
Version 2.0
Last updated 12 June 2020

You can install BApps directly within Burp, via the BApp Store feature in the Burp Extender tool. You can also download them from here, for offline installation into Burp.

You can view the source code for this BApp by visiting our GitHub page.
Follow @BApp_Store on Twitter to receive notifications of all BApp releases and updates.
Download BApp

Please note that extensions are written by third party users of Burp, and PortSwigger Web Security makes no warranty about their quality or usefulness for any particular purpose.

Go back to BappStore