# Week 41 - BURP ATOR

Are you tired of JSON Web Tokens (JWTs) quickly expiring while running an [#AppSec](https://www.linkedin.com/feed/hashtag/?keywords=appsec\&highlightedUpdateUrns=urn%3Ali%3Aactivity%3A6991411336362520576) engagement?\
&#x20;\
I know firsthand the frustration you can feel when tokens seem to expire before you can even send them to the Repeater tab!!\
&#x20;\
Luckily there is an amazing [#BurpSuite](https://www.linkedin.com/feed/hashtag/?keywords=burpsuite\&highlightedUpdateUrns=urn%3Ali%3Aactivity%3A6991411336362520576) extension called Authentication Token Obtain and Replace (ATOR). To use it, all you need to do is:\
&#x20;\
1\.      Specify the Error Condition: when does ATOR need to take action, AKA upon being told the JWT expired. See photo for an example of how I told ATOR to act upon receiving 401 unauthorized.\
&#x20;\
2\.      Obtain New Token: tell ATOR to re-run the login request that responds with a valid JWT. Select that JWT from the response so ATOR knows how to identify it.\
&#x20;\
3\.      Replace the Token: when the error condition from step 1 occurs (401 unauthorized), where should ATOR place the new token acquired from step 2? Most likely this will be in the request header -> Authorization: Bearer \<token-here>\
&#x20;\
Last, in the settings select what tools you want ATOR to run on, I recommend both the Repeater and Intruder. Now your macro should run in the background allowing you a little less frustration in your life!

![](/files/ZTyFXNxczyhVWTNqy6BY)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.webhackingtips.com/week-41-burp-ator.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.