Authorize is an extension aimed at helping the penetration tester to detect authorization vulnerabilities. Also, Authorization testing is the most time-consuming task in a web application penetration test; it can be used to identify authentication vulnerabilities in addition to the permission given to users’ cookies, which can be identified by sending a request without cookies.
It is sufficient to provide a lower-privilege user cookie and walk the application with a higher-privilege user; this extension automatically repeats every session request with a lower-privilege user and detects authorization vulnerabilities.
The further configuration plugin also repeats the same requests with non-cookies to check authentication issues.
Installation: – You can install apps directly within Burp via the BApp Store feature in the Burp extender tool. You can also download them from here for offline installation into Burp.
Jython Standalone Jar File installation: – Download jython standlone Jar
After successfully downloading a file from above like, open burp suite and visit the path
“Burp >> Extender >> Options >> Python Environment >> Select File”
Now choose the Jython standalone jar file and visit BApp Store; now authorized plugin will be available for installation.
How To Use Autorize
- Open Burusuite and click on configuration from authorized plugin,
- Copy the cookie of the lower privileged user to the textbox containing the text “insert injected header here”.
- If the authentication test is not required, you can uncheck “check unauthenticated” (it’s suggested to check the unauthenticated tests)
- It should be noted that if you want to allow Authorize to check for authorization enforcement, you must click on “Intercept is off “. By doing this, you can start intercepting the traffic.
- You need to use the interception filter tab to track the domains you want with the Authorize plugin. To do this, you can specify with the blacklist/whitelist/regex or items in the Burp domain so that Authorize does not track unnecessary domains and you are more organized.
The Authorize interface is split into two parts:
- Left part: All requests that Authorize has tested will be displayed on the left part.
- Right part: The configuration of the plugin, like headers for cookies, filters, tables, enforcement, etc., and the request & response viewer are visible on the right side.
What is interception filters?
The interception filter allows you to configure what domains you want to be intercepted by Authorize plugin; you can determine by blacklist/whitelist/regex or items in Burp’s scope in order to avoid unnecessary domains being intercepted by Authorize and work more organized.
Please find below screenshot as a result of plugin.
What’s the red green and orange marking?
To identify potential IDORs, Authorize use different colors to highlight in Authorize Status and Unauth Status columns:
- Red “bypassed!”: endpoint could be vulnerable to IDOR,
- Orange “Is enforced!”: endpoint seems to be protected but look anyway,
- Green “Enforced!”: endpoint is clearly protected against IDOR.
- Be careful; authorized displaying may occur red highlight requests does not mean that all endpoints are systematically vulnerable. There may be false positives; it’s up to you to double-check the output.
Now compare the response size between each query: if it’s the same, go deeper!
- Original Length: is the size of the response from our original session (our victim account)
- Modified Length: is the response from the same request replayed by Authorize using the attacker cookies (automatically replayed by Authorize)
- Unauthenticated Length: is also the same request as our victim account but without cookies session (to test if the endpoint is vulnerable to Improper Access Control)
What are response types?
- Modified Response corresponds to the server response to our victim request but with our attacker cookies. As we can see, a lot of information is displayed, and a vulnerability of the IDOR type seems to exist.
- Original Response corresponds to the server response to our original victim request. It’s useful to compare the Response between our two accounts and to detect false positives.
- Unauthenticated Response is the server’s Response to the request but without any auth cookie.
The autorize plugin is an automatic tool for authorization enforcement detection vulnerabilities from the burp suite; by configuring the authorize tool, authentication test cases can also be tested.