01-10-2024, 11:36 PM
Autorize is an extension for Burp Suite that automatically detects authorization enforcement issues in web applications. It is written in Python by application security expert Barak Tawily.
Installation
Download Burp Suite (obviously): https://portswigger.net/burp/download.html
Download the Jython standalone JAR: http://www.jython.org/download.html
Open Burp -> Extender -> Options -> Python Environment -> Choose File -> Choose the Jython standalone JAR
Install Autorize from BApp Store or follow these steps:
Download the Autorize source code: git clone git@github.com:Quitten/Autorize.git
Open Burp -> Extender -> Extensions -> Add -> Choose the Autorize.py file
Check out the Autorize tab and enjoy automatic authorization enforcement detection
User Guide - How to use?
After installation, the Autorize tab will be added to Burp.
Open the configuration tab (Auto -> Configuration).
Get the low-privileged user authorization token header (Cookie/Authorization) and copy it to the text box containing the text "Insert injected header here". Note: the header inserted here will be replaced (if exists) or added (if not exists).
If you do not need authentication testing, uncheck "Check unauthenticated" (requests with no cookies, in addition to checking authorization enforcement using the low-privileged user's cookie).
Checking "Intercept requests from the proxy" will also intercept requests sent through the proxy.
Click "Intercept is off" to start intercepting traffic to allow Autorize to check authorization enforcement.
Open your browser and configure the proxy settings so that traffic will be passed to Burp.
Browse to the application you want to test with the high-privileged user.
The Autorize table will show the URL of the request and the enforcement status.
You can click on a specific URL to view the original/modified/unauthenticated request/response to investigate the differences.
Authorization Enforcement Status
There are three types of enforcement status:
Bypassed! - Red
Enforced! - Green
Enforced? (Please configure enforcer) - Yellow
The first two statuses are pretty self-explanatory, so I won't say much about them.
The third status means that Autorize cannot determine whether authorization is enforced, so Autorize will ask you to configure filters in the enforcer tab. There are two different enforcer tabs, one for detecting enforcement for low-privileged requests and one for detecting enforcement for unauthenticated requests.
The enforcer filters will allow Autorize to detect authentication and authorization enforcement in the server response through content length or strings (text strings or regular expressions) in the message body, headers, or the entire request.
For example, if a request enforcement status is detected as "Authorization enforced? (Please configure enforcer)", you can investigate the modified/original/unauthenticated response and see that the modified response body contains the string "You are not authorized to perform this action", so you can add a filter with a fingerprint value of "You are not authorized to perform this action", so Autorize will look for this fingerprint and automatically detect whether authorization is enforced. The same operation can be performed by defining a content length filter or fingerprint in the headers.
Intercept filters
Intercept filters allow you to configure the domains you want to be intercepted by the Autorize plugin. You can determine this by blacklist/whitelist/regular expression or Burp scope items to avoid unnecessary domains being intercepted and make your work more organized.
Example of intercept filters (note that there are default filters to avoid scripts and images):
Download:
Installation
Download Burp Suite (obviously): https://portswigger.net/burp/download.html
Download the Jython standalone JAR: http://www.jython.org/download.html
Open Burp -> Extender -> Options -> Python Environment -> Choose File -> Choose the Jython standalone JAR
Install Autorize from BApp Store or follow these steps:
Download the Autorize source code: git clone git@github.com:Quitten/Autorize.git
Open Burp -> Extender -> Extensions -> Add -> Choose the Autorize.py file
Check out the Autorize tab and enjoy automatic authorization enforcement detection
User Guide - How to use?
After installation, the Autorize tab will be added to Burp.
Open the configuration tab (Auto -> Configuration).
Get the low-privileged user authorization token header (Cookie/Authorization) and copy it to the text box containing the text "Insert injected header here". Note: the header inserted here will be replaced (if exists) or added (if not exists).
If you do not need authentication testing, uncheck "Check unauthenticated" (requests with no cookies, in addition to checking authorization enforcement using the low-privileged user's cookie).
Checking "Intercept requests from the proxy" will also intercept requests sent through the proxy.
Click "Intercept is off" to start intercepting traffic to allow Autorize to check authorization enforcement.
Open your browser and configure the proxy settings so that traffic will be passed to Burp.
Browse to the application you want to test with the high-privileged user.
The Autorize table will show the URL of the request and the enforcement status.
You can click on a specific URL to view the original/modified/unauthenticated request/response to investigate the differences.
Authorization Enforcement Status
There are three types of enforcement status:
Bypassed! - Red
Enforced! - Green
Enforced? (Please configure enforcer) - Yellow
The first two statuses are pretty self-explanatory, so I won't say much about them.
The third status means that Autorize cannot determine whether authorization is enforced, so Autorize will ask you to configure filters in the enforcer tab. There are two different enforcer tabs, one for detecting enforcement for low-privileged requests and one for detecting enforcement for unauthenticated requests.
The enforcer filters will allow Autorize to detect authentication and authorization enforcement in the server response through content length or strings (text strings or regular expressions) in the message body, headers, or the entire request.
For example, if a request enforcement status is detected as "Authorization enforced? (Please configure enforcer)", you can investigate the modified/original/unauthenticated response and see that the modified response body contains the string "You are not authorized to perform this action", so you can add a filter with a fingerprint value of "You are not authorized to perform this action", so Autorize will look for this fingerprint and automatically detect whether authorization is enforced. The same operation can be performed by defining a content length filter or fingerprint in the headers.
Intercept filters
Intercept filters allow you to configure the domains you want to be intercepted by the Autorize plugin. You can determine this by blacklist/whitelist/regular expression or Burp scope items to avoid unnecessary domains being intercepted and make your work more organized.
Example of intercept filters (note that there are default filters to avoid scripts and images):
Download:
