simioni87 / auth_analyzer Goto Github PK
View Code? Open in Web Editor NEWBurp Extension for testing authorization issues. Automated request repeating and parameter value extraction on the fly.
License: MIT License
Burp Extension for testing authorization issues. Automated request repeating and parameter value extraction on the fly.
License: MIT License
Enable the export feature and remove duplicates of all endpoints. Would love to see that feature.
Match and Replace only replaces one occurrence of the matched value. Let's suppose, user-id in my request occurs 2 times but match and replace will only replace the first instance of the user-id.
If you try to export table data which contains at least one dropped request, it ends with an error and HTML/XML file is not created.
Export as HTML - Stacktrace:
java.lang.NullPointerException: Response cannot be null
at burp.bp.analyzeResponse(Unknown Source)
at burp.cyn.analyzeResponse(Unknown Source)
at com.protect7.authanalyzer.util.DataExporter.createHTML(DataExporter.java:136)
at com.protect7.authanalyzer.gui.dialog.DataExportDialog.<init>(DataExportDialog.java:113)
at com.protect7.authanalyzer.gui.main.CenterPanel$1.run(CenterPanel.java:132)
at java.base/java.lang.Thread.run(Thread.java:831)
Export as XML - Stacktrace:
java.lang.NullPointerException: Response cannot be null
at burp.bp.analyzeResponse(Unknown Source)
at burp.cyn.analyzeResponse(Unknown Source)
at com.protect7.authanalyzer.util.DataExporter.createXML(DataExporter.java:46)
at com.protect7.authanalyzer.gui.dialog.DataExportDialog.<init>(DataExportDialog.java:117)
at com.protect7.authanalyzer.gui.main.CenterPanel$1.run(CenterPanel.java:132)
at java.base/java.lang.Thread.run(Thread.java:831)
The issue is caused by an attempt to process empty response (as the original request has been dropped).
Could you fix that please?
Thank you,
Daniel
Hello,
Hope you are well and thanks for your awesome plugin.
While testing with it recently I have noticed that although the first request is made using HTTP/2 protocol and its successful, the repeated tampered request with the different JWT auth session fails with the following return message:
HTTP/1.1 505 HTTP Version Not Supported
Seems like the extension sends the request using only HTTP/1.1?
Could you please have a look?
Hope its an easy fix.
Thanks! :)
Hi simioni87,
I have some test cases where I want a specific parameter to be replaced by a null value.
I tried setting it as the following:
param(Static Value)
Value:
but the request body(in jSON) becomes:
{
"param": ""
}
I hope you can also introduce another option called Null as Parameter Value so that the output becomes:
{
"param": null
}
Thank you so much for this wonderful Burp extension!
I often find myself in situations where I want to replace a string in some part of request which has no parameter. It'd be great to have such a feature where you can have the request in separate parts(i.e the first line
, all the headers
, body
) as strings and regex match replace them without relying on parameters.
P.S AutoRepeater also had such features which are currently dead.
First of all amazing plugin! Thank you for the work.
Secondly, I noted that when exporting the data to an HTML or XML document, it is not possible to select and export the "Comment" column. This would be really useful as it could add additional information for the pentester when parsing the data from the file.
I am testing an application that is using a session-id provided in a GET parameter (Yeah, should not be used anyway but oh well.. )
I tried to setup a session that should only replace this one URL parameter with a static value (the session of the low-priv user).
I can browse the app but the extension does not seem to replace the URL parameter.
Above is what we intially setup.
Following are the orig. and the request that should have been edited.
The request, where the session-id should have been replaced with the low priv. user's id
What am I doing wrong or is this some weird burp issue ?
Can you add the option:
To add a list of hosts/domains to pass through auth_analyzer. For example, I may be playing with API endpoints in like 5 domains and the table gets populated with data from domains I'm not testing.
Include the option to send the request a selected number of times. for example, i may want to send each request at most two times then to repeater.
Hi simioni87,
First of all, thank you for this awesome tool!
I've been using your tool for a while and I just got some problem setting the header's value to null (blank).
I have this header called X-token, I want this header to remain on the request but with a blank value.
I tried the following setup
X-token: �token[blank]�
token(Remove: true)
Value: null
But on the modified request, it is always converted to
X-token: blank
I also tried setting it up as
X-token: //no parameter
X-token: �token[]� //no character in-between []
X-token: �token[ ]� //whitespace in-between[]
X-token: �token[blank]�
token(Remove: false, Extraction: Static Value, Value: )
Value: //whitespace value
But it all ended up using the X-token from the original request.
Can you help me with this, please?
Best regards,
Hello!
The following response:
HTTP/2 302 Found
Vary: Origin
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: Set-Cookie
Strict-Transport-Security: max-age=31536000;includeSubDomains;preload
X-Content-Type-Options: nosniff
X-Xss-Protection: 1; mode=block
Set-Cookie: xsrf-token=aa7b0494-9f22-XXX; Path=/new; Secure; SameSite=None
X-Frame-Options: SAMEORIGIN
Location: /REDACTED
Content-Length: 0
Date: Fri, 04 Mar 2022 16:21:17 GMT
Is not being picked up by the tool. Could this be due to the fact that there's a Set-Cookie value before this?
Hey , simioni87 , I can’t find the option to send to auth_analyzer on the logger, but I can find the option to send to other plugins. could you please add the functionality to receive requests from the logger? There's a scenario where can use other plugins to batch parse api docs like swagger-ui, insert default parameters, and then forward them in bulk to auth_analyzer for preliminary validation of unauthorized and privilege escalation requests.
Hi @simioni87!
First of all thank you for this extension - it's really well done. I'm trying to use it for my to day operations but came across a problem replacing path values.
Say I have a request to :
GET /api/v1/user/12345/details
and want to replace it with:
GET /api/v1/user/admin/details
For this to work I was trying to use the static value replacement, e.g.:
This should work right? However, it's turning it into:
(that is GET /api/v1/smart/users/12345/admin/1.1
)
Maybe this is a bug or am I doing something wrong?
Thanks!
Further to my previous ticket for an authentication matrix, I came up with this new idea. How about being able to set the current User context, let me try to explain.
Let's say I have the following user roles:
Admin
Operator
User
The process would be the following:
Admin
having access to endpoints and feature limited to this roleOperator
User
When crawling under the user roles listed above, there should be an option in the UI like a checkbox to select the current user roles for intercepted requests, this would cause the relevant column in the matrix table to be set to something like N/A
or Select Context
. This would create a compIete matrix of all available endpoints/features and the access rights of each configured users.
Exporting this as a CSV table and putting it in a pentest report would add a lot of value to customers. Also, this option would be amazing and simplify privileges escalations checks.
Please let me know what you think of this feature.
Note: In this case there will be no need for the drop original request button as the original request will be the one associated with the selected user context.
Hello,
when reviewing results, I like to expand the diff view in order to maximise visible information. Currently, the expanded view doesn't allow to switch between sessions. So I have to collapse the view, switch to the new context, then re-enable the expanded view. Distracting and time-consuming...
I'd like to have a button, visible only in expanded view, where I can switch from ORIGINAL/SESSION1 to ORIGINAL/SESSION2 or ORIGINAL/SESSION3. Would that make sense?
In an ideal world, this action (switching to another pair) would also be associated to Left / Right when the logs table is focused (I'm not even sure that's possible).
Thanks for the extension, the more I dig in the more I appreciate it!
Hi folks!
Basically this would be a new option where the user could enter a couple of rules that would complement or override the checks used to consider if something is different or not. A quick example would be this:
200
vs 204
)The user could then append a rule saying if request_1 == 200
& if request_1 == 204
-> vulnerable
This could be iterated to also tweak the response length / difference analysis (that I'm not sure how it is done right now); so assuming it's something like if 95% equal
-> vulnerable, the user could tweak the 95%
to be e.g. 80%
.
Just an idea, the extension already works perfectly. Thanks!
The features allowing to import from / export to JSON files seem to have disappear (tested on v1.1.13 from December 2022). Am I missing a new button or menu?
I'm using the bapp store auth analyzer. I just mentioned some header names to remove and made sure the exclude http method
option was unchecked, with no other tweaking. Auth analyzer is removing the headers but switching the methods to OPTIONS
in every request. How do I make it not switch the method?
Hi there,
Thank you for this awesome tool!
It's has been very useful to me.
Just wonder if you could add in a feature where I could export table data to a file?
And subsequently import that file containing the table data into burp to view table data within auth_analyzer tab again?
I feel that would be very useful.
Thank you!
Hello,
Is it possible to add the functionnality to filter on request body (contains or not contains) and response body (contains or not contains) ?
I think it could be very useful.
For some reason, even though I can send requests to Auth Analyzer from the Proxy History, if I select requests in the Organizer tab, I cannot do the same from there.
Hopefully should be a quick fix, this would be a great addition!
Hi there,
Currently (at least with the latest app available in Burp App Store) two 302 responses will be considered and shown as "SAME" in the result tab.
During my testing, I often see the case where two requests will receive 302, but for different reasons:
These pairs of requests/responses will appear in the result tab as "SAME". Ideally, an additional filter should be implemented to look at the "Location" header content. If these headers are different, the responses should be shown as "SIMILAR" or "DIFFERENT" but not "SAME".
Amazing work by the way, I really like your extension ! Thanks a lot !
Cheers,
A.
Hi!
Many times one telltale sign of a authorization issue is when the response length difference from request A and request B is the same (or very similar). This applies when the server responds 200 OK and only differs in the actual response (e.g. json output).
The suggestion is to add a new response length difference column on the main table:
This would be super helpful!
To increment this feature and to distinguish from other tools out there, I would allow the ability to set a "offset" of what is tolerable as vulnerable or not. e.g., an offset of 10 bytes means that if the response length difference was between -10 < X < +10 would still be considered an issue.
Thanks!
When you working with the DELETE/PUT method to delete/update somethings, but if the original sent first, the record is gone so the edited request will fail. It would be nice if auth_analyzer have this option :D
Hello Simioni87,nice to meet u !!!
I have used auth_analyzer for a long time and it is really a great burp extension for pentersters ! ! ! But i have a problem that why not add the "Parameter Addition" function because u have realized the function of "Parameter Replacement". There are sevel scene for this addition function,such as hidden debug mode,for example some developper like to add "debug=1" in request(url post-param json-param etc) when write code but delete it in frontend,but the debug mode still exist and sometime it may cause some problem. In this scene, auth-analyzer can't add Parameter when origin request is not existed a parameter named "debug" so i have to add it in processhttpmessage before auth-analyzer's code. Perhaps u could think about to add this function hahahaha. it is really happy to use your auth_analyzer ^=^
When testing for multiple user roles, there are usually distinctive features set available to each role and we (as pentester) usually want to test each individual role.
To illustrate what I suggest let's say we have three (3) distinct roles:
A thorough test would be to set the tokens for each role and then start manually interacting with the application.
In this case three (3) different, left panel view (request and bypass) should be generated as we would want to test as an admin, can doctors and clients repeat the request, then we want to test the application as a Doctor and check if Admins and Clients can repeat the requests.
In short what we want is a matrix.
Sorry if I have not been super clear, happy to elaborate on this if needed.
Kind regards,
Alex
Not sure if I found a bug or totally misunderstood what should happen. Here's the details...
How to reproduce:
Outcome:
Expected outcome:
Possible workaround: I could use "Repeat Request" from the extension contextual menu as a work-around (I tried, no extra requests are sent). Only problem: I can't map this action to a shortcut unlike Repeater's Send button. Efficiency--
And thanks for the extension!
Using 1.1.13 and have configured a CSRF match which is working fine as can see the value being populated in the header i've specified.
The problem is its not replacing the Parameter found in the following Multipart request body. Not shown in the image above is that its just a POST request.
Am i missing something or should the _csrf be replaced with my value ?
thanks
For ease-of-use sake, could you please consider implementing an anonymous session feature, where the extension would be checking for unauthenticated requests?
Alternatively, how could this be achieved with Authorization Bearer?
Thanks,
Alex
Hi @simioni87
Super extension, just a small suggestion would be to make the request/response view (right panel) less visually heavy. This could be done by using a hierarchy, top level would be request and response and when selecting one of those two options then the different user roles request/response would be displayed.
Also, you should have a look at the Autorize extension which use an expand/collapse view. Also, with the latest version of Burp and the split panel there could be more visually pleasing alternatives to my suggestion. Other than that super work, will keep opening tickets if I can think of other improvements.
Best regards,
Alex
EDIT: This is what I mean by simplifying the view.
Hi @simioni87 !
One thing that happens very frequently when doing access control testing is testing the same URLs over and over again. It would be super helpful if the extension supported a very simple URL de duplication feature; so, if ON, a request that has already been processed by Auth Analyzer (e.g. it's already on the results table) would be ignored.
Even a very basic support of this - e.g. really just comparing a GET request if it's exactly the same (not taking in consideration ?parameters for example) would be a huge help.
Thanks!
Hi! Sometimes it would be very useful if we could send an item to the Analyzer even if it is stopped. Basically the context menu from Proxy is already there, however we can only send it when the Analyzer is running; which sort of makes sense. However, if there is a session configured, maybe we could send that particular request - it would be processed by the extension, but if you continue the browsing the analyzer would still be paused.
Does this make sense? Would make easier some flows, e.g. I often only want to test one request from time to time and this way I can send it directly, otherwise I have to go to the extension tab, start it, switch to proxy, send it, switch to extension again and then stop the analyzer 😬
I'm testing an API which uses UUIDs in the URL, which I'm replacing. However, if the URL ends with a parameter without a trailing /
, the request gets corrupted. For example:
Original request:
GET /api/account/52983d28-c02c-4e93-9930-d099bc35e795/goal/44c74981-77b3-4bb6-bb3d-183917c6b21d HTTP/1.1
Host: ...
Using Auth Analyzer to replace the account
and goal
parameters generates this request:
GET /api/account/219e18eb-782b-4d9c-b820-c2e9d385e86b/goal/4763ae23-8c4c-4313-9ed1-2040755d27b6/1.1
Host: ...
It is splitting the parameter up to the /
in HTTP/1.1
, instead of breaking at the preceding space.
Hi, during the first use of your nice tool I got problems with a web app using HTTP/2. The modified response always returned an HTTP not supported error. Replaying the same request in Repeater didn't give that error message.
When I disabled HTTP/2 in Project Options - HTTP your tool gave the correct results.
Thanks,
Erwin
Hi!
I want to replace a parameter value with a string containing a dollar sign "$". Auth Analyzer url encodes the dollar sign with "%24". In my case, the dollar sign is part of a password inside a JSON body, therefore the authentication fails due to the encoding.
It would be awesome to device in the parameter replacement options do enable/disable the url encoding :)
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.