Failure to replace 2 tokens in the condition replacement

[ionimit]

I am replacing 2 tokens in a single request, one is the session cookie, and the other one is a CSRF token from a custom header.
When fetching the tokens from selection, it extracts only one currently selected. If I select the second CSRF token, it will be replaced with the first session token, and the first session token won't be replaced.

Steps:

1. Error condition request requires 2 tokens, a session cookie, and CSRF in a custom header.
2. Obtain a session token with a login request and response with a set-cookie header.
3. Obtain a CSRF token with a second request that requires the session token, and respond with a custom header containing the CSRF token.
4. In the Condition request replacement, Select the session token in the cookie header and replace it with the first session token.
5. Then select the CSRF token from the custom header and replacing with the extracted CSRF token
6. Result - the final request is sent without replacing the session cookie, and the CSRF token header gets replaced with the session token.

Sorry that I cannot share a screenshot.

[n0kovo]

I'm having the same issue in Burp Pro v2022.12.5. Did you manage to fix it?

[aditi-sharma27]

I am replacing 2 tokens in a single request, one is the session cookie, and the other one is a CSRF token from a custom header. When fetching the tokens from selection, it extracts only one currently selected. If I select the second CSRF token, it will be replaced with the first session token, and the first session token won't be replaced.

Steps:

1. Error condition request requires 2 tokens, a session cookie, and CSRF in a custom header.
2. Obtain a session token with a login request and response with a set-cookie header.
3. Obtain a CSRF token with a second request that requires the session token, and respond with a custom header containing the CSRF token.
4. In the Condition request replacement, Select the session token in the cookie header and replace it with the first session token.
5. Then select the CSRF token from the custom header and replacing with the extracted CSRF token
6. Result - the final request is sent without replacing the session cookie, and the CSRF token header gets replaced with the session token.

Sorry that I cannot share a screenshot.

We verified with similar requests pattern and its working fine for us. May be you are doing something wrong during the selection process or replacement process.

[aditi-sharma27]

I'm having the same issue in Burp Pro v2022.12.5. Did you manage to fix it?

Hi @n0kovo We haven't face any such issue with ATOR. All replacements are happening properly. Can you please elaborate more your scenario or screenshot is better?

[ionimit]

Hi,
I am using Burp Pro v2022.12.7 and ATOR v2.1.0
Here is an example I built for the demonstration purpose:

[ionimit]

[ionimit]

[aditi-sharma27]

@n0kovo The issue was fixed in ATOR-2.2.0. Please take a latest binaries from /bin and try for your scenarios.

[aditi-sharma27]

@n0kovo Hi, Did you get a chance to try the latest version - ATOR-2.2.0 to see if it resolves the issue you were facing? If you still encounter any issues, please do not hesitate to reach out to us. We value your feedback and are always looking for ways to improve ATOR.