Burpsuite for Pentester: Autorize
In order to protect online assets, web application security testing is an essential element of safeguarding them. Burp Suite has been a leader in this area for many years and it’s still being used by safety professionals as well as Ethical hackers. One of those extensions that stands out in the web security testing community is “Autorize”, which comes with a wide variety of additional features to improve its capabilities. A powerful set of features that simplify the authentication and authorization testing process is available with this extension. Autorize = Authenticate + Authorize Authorization includes any method by which a system grants or revokes permission to access specific data or actions. Meanwhile, Authentication is a process by which an individual or system authenticates themselves as being who they claim to be. Common vulnerabilities detected by Autorize It is primarily focused on identifying authorization-related vulnerabilities. It can help to identify some of the main types of vulnerabilities, such as: Remember that the effectiveness of Autorize depends on how well it is configured and your tests are carried out. Understanding the working of Autorize Let’s understand how Autorize works. Suppose, for instance, a web application implements user-based roles and supports cookie-based authentication. Normal User: has access to general functionality but is not allowed to access admin functions and database (read-only access). Admin User: has access to all functionality (read/write access). Capture the normal user cookies and add them to Authorize. Re-log in with the Admin user access all the admin functionality and update some data to the database. What will Autorize be doing now? Autorize is capturing all requests and changing the administrator cookie with your normal user’s cookies when you are browsing an application, then sending them to server. See the server response, if the server behaves in the same way as legitimate Admin (like 200 OK in response) and no errors have been detected. The request was highlighted as a Red Bypass! Another request shows as a Green Enforced!. For every request sent to the server from a client, it will perform an automated test. With a large application, with over 30+ dynamic webpages, it’s going to ease our work. There are a lot of URLs you need to test manually, so Autorize will do it for you. Similarly, Autorize also detects an API endpoint problem in the same way. The authentication method must be checked for the API. Let’s say an API uses a JWT token, you can control that by modifying its authorization header and identifying the authentication bypass issues with the APIs. Installation and Setup From the Bapp Store, you can download and install the extension. Select Bapp Store in Extensions. You can search for ‘Authorize’, or you can just look down. Click on it, scroll down to the right side. The extension is built in Python, you will see that ‘Jython’ needs to be installed first. Browse the below link and download ‘Jython Standalone’. Refer this link: https://www.jython.org/download.html After downloading go to Setting > Extension > on the right side under Python Environment browser the Jython file. This environment has been successfully set up for Jython. Restart the Burp program and follow this path to install Authorize on BApp Store. You’ll notice that the install button is highlighted. You can click on it and install it. The Authorize tab will appear in the bar after successful installation. Navigating and Configuration Options There are two tabs under the Authorize section, the first one is Request/Response Viewers tab and the other one Configuration tab. Request/Response Viewers: The Request/Response tab will display complete information about the particular request you capture within Authorize and choose. The manipulated request will be displayed under the Modified Request section, the Original Request tab will display the original/unmodified request, and the Unauthenticated request will display the unauth request. Configuration: Under the configuration tab you will see Autorize is off by default, when you are ready to capture the request first put Autorize on. There are also some configurations for capturing a request and server status code. Depending on your preference, you can select it. Here, under the Temporary header box; you need to put the normal user token/cookies/header value that you want to replace within the actual request i.e. if any application is using a JWT token for auth mechanism you need to put that value here. Either you can manually add the auth value or below is the option to fetch it from the last request. If you want to add the cookies header from the last request – click on ‘Fetch Cookies header’ or If you want to add Authorization header – click on ‘Fetch Authorization header’. Generally, the session cookies are under Cookies Header and the auth token comes under Authorization Header. Once the session cookies are loaded, it is essential to instruct Authorize on which requests to intercept and establish the standard behavior for the application when dealing with unauthorized requests or those with insufficient permissions. Commencing with the Enforcement Detector, input a characteristic of the application’s response that can be anticipated when a user with limited privileges tries to perform an action they lack sufficient permissions. In my practice, I’ve found that utilizing the “Body (simple string): enforced message body contains” option is the simplest to set up and functions effectively. Choose the type and content that aligns with your specific needs and remember to click the “Add filter” button. Moreover, it is necessary to understand that it automatically sets the default comparison to “And” when assessing multiple filters. Therefore, if the application generates distinct error messages, such as one for trying to read a file and another for attempting to access administrative features, you should create a filter for each scenario and switch the “And” to “Or.” Follow the same procedure for the Unauthenticated Detector The interception filter will intercept “Scope items only” regardless of content and from those requests, it will ignore spider requests and URLs containing image extensions. You may select on your preference and click
Read More