Recently I became one of the authors of one of the most useful (in my opinion) Burp Suite Plugin, Autorize.
Autorize is a plugin created by Barak Tawily, that helps to speed up one of the most difficult task to automatize in the web application penetration testing activities: the authorization checks. Usually this is a very time-consuming (and booooring) task, in which the penetration tester repeat every request with the session of a more privileged (vertical authorization check) or simply different (horizontal authorization check) user.
The plugin is as simple as useful. It takes the cookies of a different user and then it repeats every request that passes through the proxy modifing the cookies. It is possible to specify the condition of “authorization enforcement” with text string or regex and specify which request are to include or exclude from the test (it is also possible to use Burp Suite scope).
The new features of the plugin are the following:
- Authentication checks, by executing the requests also without any cookie in order to check the authentication enforcement.
- Save/Restore functionality, in order to allow to stop and continue authorization checks also after closing Burp Suite
- Filter functionality, in order to show or extract only relevant rows
- Improved main table, with new columns, autosorting and autoselecting of the corresponding tab by clicking on a column
- New interception filters and enforcement detectors, with the possibility to combine different enforcement conditions using AND or OR boolean expressions
A screenshot of the current version of Autorize is the following:
Autorize can be downloaded from:
- Burp Suite BAppStore
- Official repository: https://github.com/Quitten/Autorize
Happy authorization and authentication testing!