search

synopsys-sig / ATOR-Burp

78 stars 33 forks source link

"From Selection" not working every time #6

Open KoEnix opened 3 years ago

KoEnix commented 3 years ago

Hi, i found a strange behavior while working on a project with ATOR. Currently, I try to save a refresh token, to be used later to generate a new auth- and refresh-token, to refresh the authentication. In the extraction window, I can easily select the auth token and press "From Selection" and everything works as intended. But when trying to save the refresh token, one line below, I can press "From Selection" as often as I want, it wont be selected. And I dont really know why. No error or output is thrown, it simply wont work.

Here is the response its hanging on:

HTTP/1.1 200 OK
Date: Tue, 08 Dec 2020 00:00:00 GMT
Server: Apache
Strict-Transport-Security: max-age=6307000; includeSubDomains
Content-Type: application/json
Access-Control-Allow-Origin: *
Cache-Control: no-store
Pragma: no-cache
Connection: close
Content-Length: 926

{"access_token":"eyJraQWiOiJPTmNmYlBIS1A5bmdTbUlGeHk0cVN5WmxfX2xGeUs2Vk9fSEViZWpaNGRNIiwidHlwIjoiSldUIiwiYWxnIjoiRVMyNTYifQ.eyJhdWQiOiJUSFAtUHJvZCIsInN1YiI6IjEwMDAwOTJBMDEiLCJvcmciOiJDNEdPMTAwMDA5MiIsImlzcyI6IkM0Q1NTTyIsImZuYSI6IkEyIiwidHBlIjoiUEhUZ0lDSUFOIiwiZXhwIjoxNjA3NDI2MDAyLCJpYXQiOjE2MDc0MjU5ODcsImp0aSI6IjhzUklscnN6X0RfNExvalZmV0x6TTJUSWs3UFktSDVJa1BYbFpFTmhrWTgiLCJsbmEiOiJQRU5fQXJ6dF8yIn0.BOu7kWMwV83RZkN9yDwYmIwLJiI0iAU7CRPNG6QKMXvHcNDktlnUcA4F0feHAM_2G9ctqKSZ-hsbhPg0qUZ16w","refresh_token":"eyJraWQiOiJPTmNmYlBIS1A5bmdTbUlGeHk0cVN5WmxfX2xGeUs2Vk9fSEViZWpaNGRNIiwidHlwIjoiSldUIiwiYWxnIjoiRVMyNTYifQ.eyJvaWQiOiI4c1JJbHJzel9EXzRMb2pWZldMek0yVElrN1BZLUg1SWtQWGxaRU5oa1k4IiwiZXhwIjoxNjA3NDMxOTUxLCJqdGkiOiJmOEhHVXNhZ1pNcm9SOGVpejkzQzhtQmpqWnFfNzVrcHg2OHBvS2JtSlM4In0.dKvIsLRJZ2yDD8QR-4MO-otOiFrXYECPGtENdMJeJrlCbKdCKISGWS85z9PNN8-AoI1mnBkvJ4obSG4sYI6_tA","scope":"read write","token_type":"Bearer","expires_in":1500}
Manikandanrkdn commented 3 years ago

@KoEnix I found the root cause. ATOR is trying to get selected value by calculating start and end string. If you see, that both (access & refresh token) follows same pattern (start string : _token" and end string : ",), ATOR find the pattern for access token. But when we selecting for refresh token, same start and end string is calculated, but selected value is not populated in Extracted String.

Provided Solution: Caulcuate the start and end string by traversing bit more towards left and right side as long as it find the selected string. I tested it for above response content. You can generate the new build and test it with that jar file once.