Automatically extract and inject authentication tokens in Burp Suite using the Montoya API
# 1. Set Java 21
export JAVA_HOME=/path/to/java21
# 2. Build
./gradlew clean jar
# 3. Load in Burp Suite
# Extensions β Installed β Add β build/libs/TokenBinder.jar
# 4. Configure and use!Token Binder is a powerful Burp Suite extension that streamlines authentication token management during API security testing. It:
- β Automatically extracts tokens from API responses
- β Automatically injects tokens into subsequent requests
- β Supports multiple extraction methods (JSONPath & Regex)
- β Supports multiple injection points (Headers, Query Params, JSON/Form Body)
- β Provides interactive configuration UI
- β Works seamlessly with Burp Repeater
- β Logs all operations for debugging
Extract access tokens from /oauth/token endpoint and inject into API requests:
- Source:
api.example.com/oauth/token - Target:
api.example.com/api/* - Token Format:
Bearer {token}(Header)
Test REST APIs that use session tokens:
- Source:
/loginendpoint - Target:
/api/resourcesendpoints - Token Format:
session_id={token}(JSON Body)
Manage API keys programmatically:
- Source:
/authenticate - Target:
/api/v1/* - Injection: Query Parameter
api_key
- Java 21+ (required by Montoya API)
- Burp Suite 2024.x or later
- Gradle (bundled with project)
-
Verify Java 21 is active:
java -version # Should show: openjdk version "21.x.x" -
Build the extension:
cd /path/to/ExtensionTemplateProject ./gradlew clean jar -
Output:
build/libs/token-binder.jar (approximately 50KB)
- Open Burp Suite
- Navigate to:
Extensions β Installed - Click Add
- Select:
build/libs/token-binder.jar - Click Next and confirm
Verification:
- "Token Binder" tab appears in main interface
- Logs show:
[Token Binder] extension loaded successfully!
The extension adds a "Token Binder" tab with the following fields:
| Field | Purpose | Example |
|---|---|---|
| Source Tab | URL pattern for token-generating endpoint | /auth, api.example.com/login |
| Target Tab | URL pattern for endpoints using the token | /api, api.example.com/v1 |
| Token Path | JSONPath or Regex to extract token | $.access_token or "token":"([^"]+)" |
| Injection Location | Where to place the token | Header / Query / Body JSON / Body Form |
| Injection Key | Name of header/param/field | Authorization / api_key / token |
| Token Format | Template for token value | Bearer {token} / {token} |
Source Tab: api.example.com/oauth/token
Target Tab: api.example.com/api
Token Path: $.access_token
Injection Location: Header
Injection Key: Authorization
Token Format: Bearer {token}
Source Tab: /authenticate
Target Tab: /api/user
Token Path: "token"\s*:\s*"([^"]+)"
Injection Location: Header
Injection Key: X-Auth-Token
Token Format: {token}
Source Tab: api.example.com/v1/auth
Target Tab: api.example.com/v1/resources
Token Path: $.api_key
Injection Location: Query Parameter
Injection Key: key
Token Format: {token}
- Click the Token Binder tab in Burp Suite
- Fill in all fields with appropriate values
- Click Apply Configuration
- Confirm success message
- Tokens will be extracted/injected automatically from now on
- Open Burp Repeater
- Create a request to your Source Tab URL (authentication endpoint)
- Send the request
- Extension extracts token automatically
- Check logs:
[Token Binder] Token extracted: xxxx...
- Create a new request to your Target Tab URL
- Send the request (from Repeater only)
- Extension injects the token automatically
- Check logs:
[Token Binder] Token injected
Clear Token: Click "Clear Token" button to manually clear stored token
Refresh Status: Click "Refresh Token Status" to see current token (masked)
View Logs: Check "Extension Load" console for detailed operation logs
JSONPath (for structured JSON responses):
- Path format:
$.field_nameor$.nested.field - Example:
$.data.access_tokenextracts from{"data": {"access_token": "xyz"}}
Regex (for unstructured or complex responses):
- Pattern must include capture group:
(...) - Example:
"token"\s*:\s*"([^"]+)"extracts from"token": "xyz"
-
Header - Injects as HTTP header
- Example:
Authorization: Bearer {token}
- Example:
-
Query Parameter - Adds URL query parameter
- Example:
https://api.example.com/endpoint?api_key={token}
- Example:
-
Body (JSON) - Adds JSON field
- Example:
{"user": "john", "token": "xyz"}
- Example:
-
Body (Form) - Adds form parameter
- Example:
user=john&token=xyz
- Example:
The extension logs all operations to Burp's Extension Load console:
[Token Binder] extension loaded successfully!
[Token Binder] Configuration updated:
Source Tab: api.example.com/oauth
Target Tab: api.example.com/api
Token Path: $.access_token
Injection: header -> Authorization
[Token Binder] Token extracted: xxxx...
[Token Binder] Token injected into target request: HEADER -> Authorization
Error: 25.0.1 IllegalArgumentException
# Solution: Set correct Java version
export JAVA_HOME=/path/to/java21
./gradlew clean jarError: Could not find montoya-api
# Solution: Clear Gradle cache
rm -rf ~/.gradle/caches
./gradlew clean jarToken not extracting:
- Verify Source Tab URL pattern matches your endpoint
- Check Token Path format (JSONPath vs Regex)
- Inspect actual response to confirm token location
- Check logs for extraction errors
Token not injecting:
- Verify Target Tab URL pattern is correct
- Confirm requests come from Repeater tool
- Check Injection Location matches request format
- Verify Injection Key name is correct
Extension not loading:
- Verify Java 21:
java -version - Check JAR exists:
ls build/libs/token-binder.jar - Review Burp's Extension Load console for errors
- Try reloading: Disable/Enable extension in Burp
ExtensionTemplateProject/
βββ src/main/java/
β βββ Extension.java # Main extension implementation
βββ build.gradle.kts # Gradle build configuration
βββ settings.gradle.kts # Gradle settings
βββ gradlew # Gradle wrapper (Linux/Mac)
βββ gradlew.bat # Gradle wrapper (Windows)
βββ README.md # This file
βββ DEPLOYMENT.md # Detailed deployment guide
- Token Masking: Tokens are masked in logs (first 4 and last 4 chars shown)
- In-Memory Only: Tokens stored only in memory, not persisted
- Repeater Only: Extension only processes requests from Repeater tool
- Manual Clear: Tokens can be manually cleared via UI
- DEPLOYMENT.md - Comprehensive deployment guide with troubleshooting
- Montoya API Docs - Official API documentation
- Burp Extension Guide - Burp extension development
- Language: Java 21
- API: Burp Montoya API (Burp Suite 2024+)
- Build Tool: Gradle 8.x
- UI Framework: Java Swing
- Pattern Matching: Java Regex + JSONPath
This extension follows PortSwigger's extension licensing terms. See Burp Suite documentation for details.
To extend or modify this extension:
- Edit
src/main/java/Extension.java - Implement new extraction/injection methods
- Build:
./gradlew clean jar - Test in Burp Suite
- Follow Burp extension best practices
Q: Can I use this with Burp Community Edition? A: Yes! Montoya API works with both Community and Professional editions.
Q: Does it work with other Burp tools besides Repeater? A: Currently optimized for Repeater. Can be extended for Scanner, Intruder, etc.
Q: Can I change configuration mid-session? A: Yes! Apply new configuration anytime. Previous token will be cleared.
Q: Is my token secure? A: Tokens are in-memory only, masked in logs, and cleared on command. Use at your discretion.
Version: 1.0
Last Updated: 2025
Requires: Java 21+ | Burp Suite 2024+