Tokenjar v2.1

Welcome to TokenJar Page

If you’re using Burp Suite Free or Pro you have already noticed that sometimes maintaining a session can be a difficult task. This extension is the easiest way to manage tokens used for different purposes. Examples include: anti-CSRF, CSurf value, parameters that require a unique/random value and even Session values that are computed based on a formula.

TokenJar was designed to overcome the limitations of build-in Cookie Jar. It proves very useful when working together with Session Handling Rules.

Download the plugin

The ready to use jar can be downloaded from here

Go ahead and improve this extension. You can browse through the code here.

Install instructions

1. Download the jar.
2. In Burp navigate to the Extender tab.
3. Select "Add"
4. Extension Type should be set to "Java" and choose "Select file…".
5. Navigate to the downloaded jar and click "Open" and "Next".

If everything is OK, the extension should appear in the list and the "Loaded" checkbox should be checked.

Getting Started

The plugin has it's own Tab called "Token Jar" with a user interface designed around a table that will show you all the information needed.

1. Add a new line
2. Change extracting settings:
   
   • Path - a URL that limits the location from where the token is extracted (reponse)
     Tip: Can be * for most cases
   • Regex - expression that identifies the desired value. Should have at least one matching group.
     Tip: Use a common value such as "200 OK" if you just want a token that, for example, is unique per each request
   • Eval- javascript code for transforming the value. grp[1], grp[2], ... return the matched group 1, 2, ... Here you can use javascript to concatenate, generate random values (Math.random()), do conversions, etc.
     Tip: Here you can use string operations (ex. concatenation), common js functions (ex. Math.random()) or your own code
3. Set an initial value:
   Value - an optional initial value for the first run. This value will be overwritten on runtime
   
4. Set parameter name and location:
   
   • Name- token name as it appears in request
   • header, url, body, ...- token position in request. Multiple choises are possible.
   • header - a custom header contains the token. Token name is without colon ":"
   • url - the URL query contains the token as parameter
   • body - the token is an usual POST parameter
   • cookie - one of the cookies contains the token
   • other - for tokens inside json, xml, xml attribute, multi-part attribute
5. Optionally test your regular expression by clicking "Regex".
6. Enable the line and the master enable checkbox.
7. All done!

Example

1. I added a new line with the scope of extracting the csrf value from a javascript variable embedded in the html response.
2. I tested the Regex and the Eval. To do this I used the response snippet that contained the assigment that I am searching for.
3. Enable the line and the master switch

Debug

Request:

Response:

Notes

• Master enable will be unchecked when Burp restarts
• State should be preserved after restart, nevertheless, you can save and load the configuration later using the bottom-right bottoms
• All token locations (header, url, body, ..) can be enabled if not sure what to use and when this does not matter. It matters only when multiple parameters have the same name, but a different value. In this case create a new line for each token.
  By enabeling all the performance might be impacted.

Requirements for usage

• Burp Suite Free or Pro
• JRE or JDK 1.8+

• Tested with JDK 11 (End of Premier Support September 2023)
• JS Engine (NashornScriptEngine) is set to be deprecated (still available in JRE 13)

Requirements for building

• Google Guava 28.2
• Google Gson 2.8.6