In order to protect online assets, web application security testing is an essential element of safeguarding them. Burp Suite has been a leader in this area for many years and it’s still being used by safety professionals as well as Ethical hackers. One of those extensions that stands out in the web security testing community is “Autorize”, which comes with a wide variety of additional features to improve its capabilities. A powerful set of features that simplify the authentication and authorization testing process is available with this extension.

Autorize = Authenticate + Authorize

Authorization includes any method by which a system grants or revokes permission to access specific data or actions. Meanwhile, Authentication is a process by which an individual or system authenticates themselves as being who they claim to be.

• Common vulnerabilities detected by Autorize
• Understanding the Functionality
• Installation and Setup
• Navigation and Configuration options
• Practical Demonstration of Autorize in Action

Common vulnerabilities detected by Autorize

Initially, Autorize focuses on identifying authorization-related vulnerabilities. It helps uncover several major vulnerability types, such as:

• Inadequate Role-Based Access Control (RBAC): Autorize uncovers issues where user roles or permissions aren’t enforced properly, allowing users to access functionality or sensitive data they shouldn’t access.
• Broken Access Controls: It identifies cases where access controls fail, leading to unauthorized access to resources or actions.
• Insecure Direct Object References (IDOR): It detects scenarios where attackers manipulate input to access other users’ data or perform restricted actions.
• Forced Browsing: It highlights situations where attackers bypass restrictions by directly accessing restricted URLs.
• Insufficient Authorization: It exposes weak enforcement of user permissions, enabling unauthorized actions.
• Horizontal and Vertical Privilege Escalation: It finds flaws that allow attackers to impersonate users or gain additional privileges.
• Business Logic Flaws: Autorize detects workflow manipulation that leads to unauthorized activity or data leaks.

Understanding the working of Autorize

Now, let’s understand how Autorize works. Suppose, for instance, a web application uses role-based access and cookie-based authentication.

• Normal User: has access to general features but cannot access admin functionality or modify the database (read-only).
• Admin User: can access everything with full read/write permissions.

You can capture the normal user’s cookies and add them to Autorize. Then, re-login as the admin user, access admin-only features, and update the database.

At this point, what is Autorize doing? It intercepts each request, swaps the admin cookies with the normal user’s cookies, and sends it to the server. If the server response mirrors the one expected for the admin (like a 200 OK), and no error appears, Autorize highlights it as Red Bypass!. In contrast, securely protected requests appear as Green Enforced!.

Furthermore, for every request the client sends, Autorize performs automated testing. In large applications with over 30+ dynamic pages, this greatly simplifies testing. Since there are so many URLs to test manually, Autorize handles much of the burden of discovery.

Similarly, Autorize detects API endpoint issues in the same way. You should verify the authentication method for each API. For example, if an API uses a JWT token, you can modify the authorization header to identify bypass vulnerabilities in the API.

Installation and Setup

From the Bapp Store, you can download and install the extension. Select Bapp Store in Extensions. You can search for ‘Authorize’, or you can just look down. Click on it, scroll down to the right side.

The extension is built in Python, you will see that ‘Jython’ needs to be installed first.

Browse the below link and download ‘Jython Standalone’.

Refer this link: https://www.jython.org/download.html

After downloading go to Setting > Extension > on the right side under Python Environment browser the Jython file. This environment has been successfully set up for Jython.

Restart the Burp program and follow this path to install Authorize on BApp Store. You’ll notice that the install button is highlighted. You can click on it and install it.

The Authorize tab will appear in the bar after successful installation.

Navigating and Configuration Options

There are two tabs under the Authorize section, the first one is Request/Response Viewers tab and the other one Configuration tab.

Request/Response Viewers

The Request/Response tab will display complete information about the particular request you capture within Authorize and choose. The manipulated request will be displayed under the Modified Request section, the Original Request tab will display the original/unmodified request, and the Unauthenticated request will display the unauth request.

Configuration Options

Under the configuration tab you will see Autorize is off by default, when you are ready to capture the request first put Autorize on. There are also some configurations for capturing a request and server status code. Depending on your preference, you can select it.

Temporary Header and Token Replacement

Here, under the Temporary header box; you need to put the normal user token/cookies/header value that you want to replace within the actual request i.e. if any application is using a JWT token for auth mechanism you need to put that value here.

Either you can manually add the auth value or below is the option to fetch it from the last request. If you want to add the cookies header from the last request – click on ‘Fetch Cookies header’ or If you want to add Authorization header – click on ‘Fetch Authorization header’.

Generally, the session cookies are under Cookies Header and the auth token comes under Authorization Header.

Setting Up the Enforcement Detector

Once the session cookies are loaded, it is essential to instruct Authorize on which requests to intercept and establish the standard behavior for the application when dealing with unauthorized requests or those with insufficient permissions.

Commencing with the Enforcement Detector, input a characteristic of the application’s response that can be anticipated when a user with limited privileges tries to perform an action they lack sufficient permissions. In my practice, I’ve found that utilizing the “Body (simple string): enforced message body contains” option is the simplest to set up and functions effectively. Choose the type and content that aligns with your specific needs and remember to click the “Add filter” button.

Using Multiple Filters

Moreover, it is necessary to understand that it automatically sets the default comparison to “And” when assessing multiple filters. Therefore, if the application generates distinct error messages, such as one for trying to read a file and another for attempting to access administrative features, you should create a filter for each scenario and switch the “And” to “Or.”

Setting the Unauthenticated Detector

Follow the same procedure for the Unauthenticated Detector

The interception filter will intercept “Scope items only” regardless of content and from those requests, it will ignore spider requests and URLs containing image extensions. You may select on your preference and click “Add filter” when type is selected.

Match/Replace Feature

Additionally, Autorize has a Match/Replace feature. Use it if you need to change a specific header or body parameter in the request. For instance, if the parameter ‘u.name’ in the request body needs to be replaced with an admin EID (e.g., ‘a.name’), you can configure Autorize to handle this adjustment.

Here, you can tell Autorize via adding here.  

Customizing filters and handling responses.

You can select the type of requests that you want to see under the Table Filter bar,

• bypassed!: the endpoint may be vulnerable to IDOR,
• Is enforced!: endpoint seems to be protected but re-check once,
• Enforcing!: against IDOR, the endpoint is clearly protected.

Finally, you can save and export the filtered data for further analysis using the Save/Restore tab.

Practical Demonstration of Autorize in Action

Let’s do a quick demonstration to understand in an easy way, to perform this practical we are going to use a pre-setup Port Swigger lab “Method-based access control can be circumvented”. Click on access the lab and browser the application.

This will show a Broken Access Control vulnerability with two users that have different role higher and lower privilege users. The same concept can be applied to same-level users.

First, we have to capture the cookies for low privileged user (normal user). We are using the default normal user credentials,

Wiener:peter

And logged into the application to capture session cookie.

Updated some more details.

You will see the below capture session cookie in to the login request. Now copy this cookie header.

Add this cookie header value to Autorize tab as shown below,

And keep Autorize on.

In order to, check the auth bypass now we have to log in with high privilege (admin user). Go to login page again and use admin credentials to log in,

Administrator:admin

After successfully logging in and browsing the all admin-only URLs. You can see under the Autorize tab some highlighted requests

Interpreting Results and Understanding Authorization Statuses

The Authz. Status indicates which endpoints are accessible to wiener (normal user).

The Unauth. Status pertains to unauthorized users, effectively eliminating the cookie and all authorization headers. You can opt to disable this feature by deselecting the “Check unauthenticated” option in the Autorize configuration tab.

Red [Bypassed!] : endpoint could be vulnerable to access control/IDOR issues. 

Orange [Is enforced!] : endpoint seems to be protected but cross-check manually by replacing the cookies value. 

Green [Enforced!] : endpoint is clearly protected against access control/IDOR issues.

As visible in above image, request 1, 2, 6, and 7 are having Broken access control issue.

Keep in mind that do not blindly follow the Autorize result,  The Red highlight requests do not mean that all endpoints are vulnerable or bypassed. There may be false positives; You must do a cross-check.

Some other possible scenarios, Suppose you are testing auth issues with the two same level of users. As a result, you will see Authz. Status shows Bypassed! And Unauth. Status shows Enforced! In that case improper authorization can be found on the request which shows that the specific endpoint can be accessed by the 2^nd user but has correctly implemented authorization for any unauthorized users.

When you select any highlighted request, on the right side you will see the detailed information about modified, original & unauthenticated request and responses.

That’s a wrap for now. Cheers!

Conclusion

For carrying out comprehensive security reviews, the “Autorize Burp” extension is an essential tool. By automating authentication and enabling the testing of restricted areas, it enhances the efficiency and effectiveness of security assessments. This extension is an indispensable tool for conducting comprehensive tests and identifying potential vulnerabilities that may only be accessible to authenticated users.