Friday, February 20, 2015

Autorize - automatic authorization enforcement detection extension for Burp Suite

Autorize


Autorize is an automatic authorization enforcement detection extension for Burp Suite. It was written in Python by Barak Tawily, an application security expert at AppSec Labs. Autorize was designed to help security testers by performing automatic authorization tests.
alt tag

Installation

  1. Download Burp Suite (obviously): http://portswigger.net/burp/download.html
  2. Download Jython standalone JAR: http://www.jython.org/downloads.html
  3. Open burp -> Extender -> Options -> Python Environment -> Select File -> Choose the Jython standalone JAR
  4. Install Autorize from the BApp Store or follow these steps:
  5. Download the Autorize.py file.
  6. Open Burp -> Extender -> Extensions -> Add -> Choose Autorize.py file.
  7. See the Autorize tab and enjoy automatic authorization detection :)

User Guide - How to use?

  1. After installation, the Autorize tab will be added to Burp.
  2. Open the configuration tab (Autorize -> Configuration).
  3. Get your low-privileged user authorization token header (Cookie / Authorization) and copy it into the textbox containing the text "Insert injected header here".
  4. Click on "Intercept is off" to start intercepting the traffic in order to allow Autorize to check for authorization enforcement.
  5. Open a browser and configure the proxy settings so the traffic will be passed to Burp.
  6. Browse to the application you want to test with a high privileged user.
  7. The Autorize table will show you the request's URL and enforcement status.
  8. It is possible to click on a specific URL and see the original/modified request/response in order to investigate the differences.

Authorization Enforcement Status

There are 3 enforcement statuses:
  1. Authorization bypass! - Red color
  2. Authorization enforced! - Green color
  3. Authorization enforced??? (please configure enforcement detector) - Yellow color
The first 2 statuses are clear, so I won’t elaborate on them.
The 3rd status means that Autorize cannot determine if authorization is enforced or not, and so Autorize will ask you to configure a filter in the enforcement detector tab.
The enforcement detector filters will allow Autorize to detect authorization enforcement by fingerprint (string in the message body) or content-length in the server's response.
For example, if there is a request enforcement status that is detected as "Authorization enforced??? (please configure enforcement detector)" it is possible to investigate the modified/original response and see that the modified response body includes the string "You are not authorized to perform action", so you can add a filter with the fingerprint value "You are not authorized to perform action", so Autorize will look for this fingerprint and will automatically detect that authorization is enforced. It is possible to do the same by defining content-length filter.

3 comments:

  1. say barak, why did you delete the empty functions in noop.php in your patch? i know you wrote you had warnings but it looks like there shouldnt be any since those functions are not defined anywhere but there and thus the warnings wont be present in other setups....

    ReplyDelete
    Replies
    1. My names is Cathy i want to testify about the great spell caster called Priest Ade my husband and i have been married for 5 years now we don't have a child and the doctor told us i can't give birth because my womb have been damaged due to wrong drugs prescription this got me so worried and my husband was not happy so he decided to get married to another girl and divorce me i was so sad i told my friend about it she told me about a powerful spell caster she gave me his email address well i never believe in it that much though i just decided to give him a try and he told me it will take 24hrs to get my husband back to me and i will get pregnant i doubted him the 3rd day my husband came back to me and was crying he said he didn't want the divorce anymore 3 weeks after the doctor confirmed that i was pregnant he can also help you contact him at

      ancientspiritspellcast@yahoo.com or ancientspiritspellcast@gmail.com

      Blog: https://effectivespell1.blogspot.com

      Website http://ancientspiritspellcast.website2.me

      WhatsApp +2347059715465

      Delete
  2. My names is Cathy i want to testify about the great spell caster called Priest Ade my husband and i have been married for 5 years now we don't have a child and the doctor told us i can't give birth because my womb have been damaged due to wrong drugs prescription this got me so worried and my husband was not happy so he decided to get married to another girl and divorce me i was so sad i told my friend about it she told me about a powerful spell caster she gave me his email address well i never believe in it that much though i just decided to give him a try and he told me it will take 24hrs to get my husband back to me and i will get pregnant i doubted him the 3rd day my husband came back to me and was crying he said he didn't want the divorce anymore 3 weeks after the doctor confirmed that i was pregnant he can also help you contact him at

    ancientspiritspellcast@yahoo.com or ancientspiritspellcast@gmail.com

    Blog: https://effectivespell1.blogspot.com

    Website http://ancientspiritspellcast.website2.me

    WhatsApp +2347059715465

    ReplyDelete