Automatic authorization enforcement detection extension for burp suite written in Jython developed by Barak Tawily in order to ease application security people work and allow them perform an automatic authorization tests
Hello, my web application has multi authentication headers, not just cookie or token.It add some other headers,but Autorize only replace the first header and add other headers to request even already have them.I want to replace all multi headers,I think you can add this feature.
requets headers sample:
Cookie: xxx
dt: 1
ai: 2
u: 1486785691
uu: g3E8B0A3-46AE-401D-A90C-E90E4BCBF2D8_1_23
ck: kfd029f2-6203-4cc3-86a6-51da52ue60c2
al: Jq31GmcU7WoIixwvk0aMJUjMgYgAAtCFXXxoDbeMk00f7ZsBHGWMpid9XYZG-ai8dMaDwwtF
I noticed that when using Autorize in high resolution (like 4k), the entire configuration interface elements overlap each other, rendering it useless.
Please see the screenshot.
Hi !
Autorize seems to be allergic to the use of non-ascii (example: "è") char in "enforcement detector" filter (body & full message filter at least).
Filter text was "Accès interdit".
Here is the python stack (java stack is skipped) obtained and that made me think of an encoding error.
at authorization.authorization$py.checkAuthorization$12(/home/cca/.BurpSuite/bapps/f9bbac8c4acf4aefa4d7dc92a991af2f/authorization/authorization.py:289)
at authorization.authorization$py.call_function(/home/cca/.BurpSuite/bapps/f9bbac8c4acf4aefa4d7dc92a991af2f/authorization/authorization.py)
at org.python.core.PyTableCode.call(PyTableCode.java:173)
at org.python.core.PyBaseCode.call(PyBaseCode.java:187)
at org.python.core.PyFunction.__call__(PyFunction.java:449)
at authorization.authorization$py.handle_message$8(/home/cca/.BurpSuite/bapps/f9bbac8c4acf4aefa4d7dc92a991af2f/authorization/authorization.py:128)
at authorization.authorization$py.call_function(/home/cca/.BurpSuite/bapps/f9bbac8c4acf4aefa4d7dc92a991af2f/authorization/authorization.py)
at org.python.core.PyTableCode.call(PyTableCode.java:173)
at org.python.core.PyBaseCode.call(PyBaseCode.java:187)
at org.python.core.PyFunction.__call__(PyFunction.java:449)
at org.python.pycode._pyx4.processHttpMessage$3(/home/cca/.BurpSuite/bapps/f9bbac8c4acf4aefa4d7dc92a991af2f/Autorize.py:37)
at org.python.pycode._pyx4.call_function(/home/cca/.BurpSuite/bapps/f9bbac8c4acf4aefa4d7dc92a991af2f/Autorize.py)
at org.python.core.PyTableCode.call(PyTableCode.java:173)
at org.python.core.PyBaseCode.call(PyBaseCode.java:306)
at org.python.core.PyBaseCode.call(PyBaseCode.java:197)
at org.python.core.PyFunction.__call__(PyFunction.java:485)
at org.python.core.PyMethod.instancemethod___call__(PyMethod.java:237)
at org.python.core.PyMethod.__call__(PyMethod.java:228)
at org.python.core.PyMethod.__call__(PyMethod.java:218)
at org.python.core.PyMethod.__call__(PyMethod.java:213)
at org.python.core.PyObject._jcallexc(PyObject.java:3565)
at org.python.core.PyObject._jcall(PyObject.java:3598)
at org.python.proxies.__main__$BurpExtender$19.processHttpMessage(Unknown Source)
at burp.f76.run(Unknown Source)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
at java.base/java.lang.Thread.run(Thread.java:832)
Traceback (most recent call last):
File "/home/cca/.BurpSuite/bapps/f9bbac8c4acf4aefa4d7dc92a991af2f/Autorize.py", line 37, in processHttpMessage
handle_message(self, toolFlag, messageIsRequest, messageInfo)
File "/home/cca/.BurpSuite/bapps/f9bbac8c4acf4aefa4d7dc92a991af2f/authorization/authorization.py", line 128, in handle_message
checkAuthorization(self, messageInfo,self._helpers.analyzeResponse(messageInfo.getResponse()).getHeaders(),self.doUnauthorizedRequest.isSelected())
File "/home/cca/.BurpSuite/bapps/f9bbac8c4acf4aefa4d7dc92a991af2f/authorization/authorization.py", line 271, in checkAuthorization
impression = checkBypass(self, oldStatusCode,newStatusCode,oldContentLen,newContentLen,EDFilters,requestResponse,self.AndOrType.getSelectedItem())
File "/home/cca/.BurpSuite/bapps/f9bbac8c4acf4aefa4d7dc92a991af2f/authorization/authorization.py", line 238, in checkBypass
auth_enforced = auth_enforced_via_enforcement_detectors(self, filters, requestResponse, andOrEnforcement)
File "/home/cca/.BurpSuite/bapps/f9bbac8c4acf4aefa4d7dc92a991af2f/authorization/authorization.py", line 156, in auth_enforced_via_enforcement_detectors
if str(filter).startswith("Status code equals: "):
UnicodeEncodeError: 'ascii' codec can't encode character u'\xe8' in position 34: ordinal not in range(128)
at org.python.core.codecs.strict_errors(codecs.java:206)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[...]
And by the way, thanks for this awesome extension...!
This more of a feature/upgrade request, but it would be great if Autorize's get cookies also have a button for get Authorisation that covered bearer tokens and basic auth.
Similarly to #24 I'd love to be able to right click and "Send responses to comparer." This is frequently my workflow anyway.
The implementation should be very similar to #24 -- if I get a chance I'll open a PR mostly cribbing off 27c8026 -- just using https://portswigger.net/burp/extender/api/burp/IBurpExtenderCallbacks.html#sendToComparer(byte[])
Hey @Quitten ,
Is there any way to filter requests based upon a string/regex match in the request body?
For eg:
Suppose this an unwanted request , which I don't want to see:
POST /api/v2/graphql HTTP/2
Host: localhost:1337
Cookie:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101
Content-Type: application/json
Content-Length: 4872
Te: trailers
Connection: close
{
"operationName": "Usernotification",
"query": "query Usernotification(}"
}
I want to filter all the requests which have the word Usernotification in the request body.
Currently these are the only available options in the filter tab:
If there is no way to do it, can you please add more options in the interception filters tab for this scenarios:
Request Body contains (simple string)
Request Body contains (regex)
Request Body NOT contains (simple string)
Request Body Not contains (regex)
Response Body contains (simple string)
Response Body contains (regex)
Response Body NOT contains (simple string)
Response Body Not contains (regex)
PS: I am great fan of this tool, I almost used it daily :)
Thankyou so much for creating this awesome tool.
Hi, I would like to have an option where I can choose if the plugin have to inject just a cookie or a complete header. I found a lot of application with session management made with cookies and HTTP Headers and I would like to continue to use this amazing plugin.
Thanks guys for your work.
Noticed a bug on the interception filter behaviour. Here are the steps to reproduce:
Expected result: the filter would be copied to the Content section to allow modification again.
Current result: The filter is deleted.
Let me know if you need any further info.
Hi,
It would be great to be able to repeat a selection and/or all the requests using a modified configuration. For example, if you want to retest and the session identifier has changed or you are repeating the exact same requests with a different user role (with a different session).
Thanks for the extension, keep the good job!
cheers
Authorize doesn't implement filters like the proxy and target tabs do meaning that large amounts of data (such as a shodan request from an extension) end up windows. Limiting to scope is an option, but this is often flexible and changing in scope aren't reflected post-addition in Authorize.
Addition of filters to the results window in the same manner as Proxy or Target.
@Quitten it would be better if autorize have feature to select multiple request.
When scanning a target, it will be great to have the possibility to limit the scan to the suite scope to not actively scan any out-of-scope target.
For example, when using firefox and scanning an in-scope domain, the plugin will send requests to other domains (plugins services, version-check, ...) and this is not what is expected by the user. It can cause legal issues during a pentest.
Hi @Quitten
First of all, you created an amazing extension (a bit upset I discover it just now...)!
As I used it in a real-life scenario, I noticed that a few improvements could be made to make pentesters life easier:
These are just a few minor improvements that would make life much easier.
Again, thanks for this amazing extension!
Alex
Hi!
Thanks for this great extension!
How can I remove headers already configured in the interface ?
Actually, I have to reinstall the extension to remove them.
Is there a feature available ?
Thx
Trying to load Autorize results in a crash. Obviously we'd just expect it to load as normal. Would be happy to provide any more detail but not much to say at this point. Any questions or debugging you'd like, please ask.
Latest Autorize code pulled down today (21/06/2021)
jython-standalone-2.7.2.jar
Burp Suite Professional v2021.6.2-8352 (Early Adopter)
Traceback (most recent call last):
File "C:\Users\Censored\Autorize\Autorize.py", line 9, in <module>
from helpers.initiator import Initiator
File "C:\Users\Censored\Autorize\helpers\initiator.py", line 14, in <module>
from threading import Lock
File "C:\Python27\Lib\threading.py", line 1190, in <module>
_shutdown = _MainThread()._exitfunc
File "C:\Python27\Lib\threading.py", line 1082, in __init__
self._Thread__started.set()
File "C:\Python27\Lib\threading.py", line 582, in set
"""
File "C:\Python27\Lib\threading.py", line 286, in __enter__
return self.__lock.__enter__()
TypeError: __enter__(): expected 1 args; got 0
at org.python.core.Py.TypeError(Py.java:236)
at org.python.core.PyReflectedFunction.throwError(PyReflectedFunction.java:213)
at org.python.core.PyReflectedFunction.throwArgCountError(PyReflectedFunction.java:266)
at org.python.core.PyReflectedFunction.throwError(PyReflectedFunction.java:323)
at org.python.core.PyReflectedFunction.__call__(PyReflectedFunction.java:171)
at org.python.core.PyReflectedFunction.__call__(PyReflectedFunction.java:208)
at org.python.core.PyObject.__call__(PyObject.java:461)
at org.python.core.PyObject.__call__(PyObject.java:465)
at org.python.core.PyMethod.__call__(PyMethod.java:126)
at threading$py.__enter__$22(C:/Python27/Lib/threading.py:286)
at threading$py.call_function(C:/Python27/Lib/threading.py)
at org.python.core.PyTableCode.call(PyTableCode.java:173)
at org.python.core.PyBaseCode.call(PyBaseCode.java:134)
at org.python.core.PyFunction.__call__(PyFunction.java:416)
at org.python.core.PyMethod.__call__(PyMethod.java:126)
at org.python.core.ContextGuard.__enter__(ContextGuard.java:17)
at threading$py.set$46(C:/Python27/Lib/threading.py:585)
at threading$py.call_function(C:/Python27/Lib/threading.py)
at org.python.core.PyTableCode.call(PyTableCode.java:173)
at org.python.core.PyBaseCode.call(PyBaseCode.java:134)
at org.python.core.PyFunction.__call__(PyFunction.java:416)
at org.python.core.PyMethod.__call__(PyMethod.java:126)
at threading$py.__init__$80(C:/Python27/Lib/threading.py:1085)
at threading$py.call_function(C:/Python27/Lib/threading.py)
at org.python.core.PyTableCode.call(PyTableCode.java:173)
at org.python.core.PyBaseCode.call(PyBaseCode.java:306)
at org.python.core.PyBaseCode.call(PyBaseCode.java:197)
at org.python.core.PyFunction.__call__(PyFunction.java:485)
at org.python.core.PyMethod.instancemethod___call__(PyMethod.java:237)
at org.python.core.PyMethod.__call__(PyMethod.java:228)
at org.python.core.PyMethod.__call__(PyMethod.java:223)
at org.python.core.Deriveds.dispatch__init__(Deriveds.java:20)
at org.python.core.PyObjectDerived.dispatch__init__(PyObjectDerived.java:1112)
at org.python.core.PyType.type___call__(PyType.java:2408)
at org.python.core.PyType.__call__(PyType.java:2389)
at org.python.core.PyObject.__call__(PyObject.java:446)
at org.python.core.PyObject.__call__(PyObject.java:450)
at threading$py.f$0(C:/Python27/Lib/threading.py:1321)
at threading$py.call_function(C:/Python27/Lib/threading.py)
at org.python.core.PyTableCode.call(PyTableCode.java:173)
at org.python.core.PyCode.call(PyCode.java:18)
at org.python.core.imp.createFromCode(imp.java:630)
at org.python.core.imp.createFromPyClass(imp.java:312)
at org.python.core.imp.createFromPyClass(imp.java:255)
at org.python.core.imp.loadFromSource(imp.java:929)
at org.python.core.imp.find_module(imp.java:769)
at org.python.core.imp.import_next(imp.java:1158)
at org.python.core.imp.import_first(imp.java:1219)
at org.python.core.imp.import_module_level(imp.java:1361)
at org.python.core.imp.importName(imp.java:1528)
at org.python.core.ImportFunction.__call__(__builtin__.java:1285)
at org.python.core.PyObject.__call__(PyObject.java:433)
at org.python.core.__builtin__.__import__(__builtin__.java:1232)
at org.python.core.imp.importFromAs(imp.java:1620)
at org.python.core.imp.importFrom(imp.java:1595)
at helpers.initiator$py.f$0(C:/Users/Censored/Autorize/helpers/initiator.py:16)
at helpers.initiator$py.call_function(C:/Users/Censored/Autorize/helpers/initiator.py)
at org.python.core.PyTableCode.call(PyTableCode.java:173)
at org.python.core.PyCode.call(PyCode.java:18)
at org.python.core.imp.createFromCode(imp.java:630)
at org.python.core.imp.createFromSource(imp.java:583)
at org.python.core.imp.loadFromSource(imp.java:944)
at org.python.core.imp.find_module(imp.java:769)
at org.python.core.PyModule.findSubModule(PyModule.java:140)
at org.python.core.PyModule.impAttr(PyModule.java:107)
at org.python.core.imp.import_next(imp.java:1161)
at org.python.core.imp.import_logic(imp.java:1278)
at org.python.core.imp.import_module_level(imp.java:1369)
at org.python.core.imp.importName(imp.java:1528)
at org.python.core.ImportFunction.__call__(__builtin__.java:1285)
at org.python.core.PyObject.__call__(PyObject.java:433)
at org.python.core.__builtin__.__import__(__builtin__.java:1232)
at org.python.core.imp.importFromAs(imp.java:1620)
at org.python.core.imp.importFrom(imp.java:1595)
at org.python.pycode._pyx5.f$0(C:/Users/Censored/Autorize/Autorize.py:11)
at org.python.pycode._pyx5.call_function(C:/Users/Censored/Autorize/Autorize.py)
at org.python.core.PyTableCode.call(PyTableCode.java:173)
at org.python.core.PyCode.call(PyCode.java:18)
at org.python.core.Py.runCode(Py.java:1687)
at org.python.core.__builtin__.execfile_flags(__builtin__.java:535)
at org.python.util.PythonInterpreter.execfile(PythonInterpreter.java:287)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:64)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:564)
at burp.aa0.<init>(Unknown Source)
at burp.hfn.a(Unknown Source)
at burp.bzk.lambda$panelLoaded$0(Unknown Source)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
at java.base/java.lang.Thread.run(Thread.java:832)
java.lang.RuntimeException: java.lang.RuntimeException: Extensions should not make HTTP requests in the Swing event dispatch thread
at burp.my.a(Unknown Source)
at burp.tyg.makeHttpRequest(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.python.core.PyReflectedFunction.call(PyReflectedFunction.java:186)
at org.python.core.PyReflectedFunction.call(PyReflectedFunction.java:204)
at org.python.core.PyObject.call(PyObject.java:496)
at org.python.core.PyObject.call(PyObject.java:500)
at org.python.core.PyMethod.call(PyMethod.java:156)
at org.python.pycode._pyx1.makeRequest$27(D:\Chrome\burpsuite_pro_v1.6.17\bapps\f9bbac8c4acf4aefa4d7dc92a991af2f\Autorize.py:519)
at org.python.pycode._pyx1.call_function(D:\Chrome\burpsuite_pro_v1.6.17\bapps\f9bbac8c4acf4aefa4d7dc92a991af2f\Autorize.py)
at org.python.core.PyTableCode.call(PyTableCode.java:167)
at org.python.core.PyBaseCode.call(PyBaseCode.java:170)
at org.python.core.PyFunction.call(PyFunction.java:434)
at org.python.core.PyMethod.call(PyMethod.java:156)
at org.python.pycode._pyx1.checkAuthorization$29(D:\Chrome\burpsuite_pro_v1.6.17\bapps\f9bbac8c4acf4aefa4d7dc92a991af2f\Autorize.py:571)
at org.python.pycode._pyx1.call_function(D:\Chrome\burpsuite_pro_v1.6.17\bapps\f9bbac8c4acf4aefa4d7dc92a991af2f\Autorize.py)
at org.python.core.PyTableCode.call(PyTableCode.java:167)
at org.python.core.PyBaseCode.call(PyBaseCode.java:170)
at org.python.core.PyFunction.call(PyFunction.java:434)
at org.python.core.PyMethod.call(PyMethod.java:156)
at org.python.pycode._pyx1.actionPerformed$49(D:\Chrome\burpsuite_pro_v1.6.17\bapps\f9bbac8c4acf4aefa4d7dc92a991af2f\Autorize.py:673)
at org.python.pycode._pyx1.call_function(D:\Chrome\burpsuite_pro_v1.6.17\bapps\f9bbac8c4acf4aefa4d7dc92a991af2f\Autorize.py)
As far as I understand the "Enforcement Detector" filter is only used on items that are in "is enforced???" state.
It would be great to have a filter which also gets applied to items detected as "Bypassed!".
My case is this, sites which are heavily using 302 redirects are producing a large number of false positives.
A valid request gets 302 redirected to /$uuid/whatever, while the modified ones get 302 redirected to /login. This currently is detected as bypassed.
I would love to have a filter that specifies "whenever a 'Location: /login' Header is found, the state is enforced".
Hey there! Fantastic tool; I've really enjoyed avoiding pasting cookies into Repeater.
I'm having an issue where the tool is missing PATCH and DELETE requests. The requests show up perfectly fine in Proxy, and I don't have any filters for HTTP verbs.
When I'm trying to confirm an autorize finding I want to re-send the modified request. I was expecting to be able to right click on the HTTP request, have the usual context menu that Burp shows, and choose "Send to repeater". Nothing shows up when I right click over the HTTP request.
I'm pretty new to Autorize, but have enjoyed the tool a lot. If this feature already exists, please correct me, but one thing I've noticed is that when I test APIs, Authorize will only modify the tokens in the Cookie: field. However, it does not modify the Authorization header field and thus does not test for IDOR or other access control issues on requests which use the Authorization: BEARER style token header. For example, I tested a service where Autorize successfully replaced the cookies in the request but the Authorization header contained the current user's OAuth token rather than the lower privilege user's. I tried the Match/Replace feature by matching on the Authorization header and replacing with lower privilege auth header but this didn't seem to work. Maybe I misunderstand this feature. If this is something I could contribute, let me know.
Thanks.
HI, there is a way to generate CSRF TOKEN for every user or grab a csrf token form another request then use it to the URL endpoint that you want to test for idor since every user has a different CSRF token
The ability to delete results from authorize in bulk would make cleaning through results much more efficient. Typically I will end up with some incorrect results when setting up my regular expressions that then get in the way when trying to sort by columns for bypassed successful logins later. It would be great to run some tests, delete the bad results and then start my testing.
Currently Autorize sets a light grey background, with grey text when in dark mode. Could you make the colours more friendly?
Auto Packet Capture is not working with Red and Green "Autorize button", and it can't automatically load requests .
it just work with "Send request to Autorize"
burp 1.7.03
and autorize is last version of git .
thanks .
Burp 1.7.36 jython Standalone 2.7.0 Non-ASCII character in file
SyntaxError: Non-ASCII character in file '/root/Desktop/burpsuite/Autorize.py', but no encoding declared; see http://www.python.org/peps/pep-0263.html for details
at org.python.core.Py.SyntaxError(Py.java:198)
at org.python.core.ParserFacade.fixParseError(ParserFacade.java:105)
at org.python.core.ParserFacade.parse(ParserFacade.java:190)
at org.python.core.Py.compile_flags(Py.java:1956)
at org.python.core.__builtin__.execfile_flags(__builtin__.java:527)
at org.python.util.PythonInterpreter.execfile(PythonInterpreter.java:286)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:564)
at burp.ohg.<init>(Unknown Source)
at burp.spf.a(Unknown Source)
at burp.gih.run(Unknown Source)
at java.base/java.lang.Thread.run(Thread.java:844)
Table filter tab should be changed to table settings and support which visible fields will be presented on results table, so clients can add or remove any columns.
In addition, support the following request:
it would be great to keep this issue open to implement the three new columns in the results table to show the status codes of the original, modified and unauthenticated responses.
by @raulsiles
Default filter regex bug: in case one of strings in URL (e.g. jpg) it will be ignored.
A nice thing to have would be to be able to select the HTTP methods that Autorize will be replaying (e.g. from the configuration tab) as well as support for methods other than POST/GET/OPTIONS.
At the moment, I don't think that patch is supported(at least in the BApp version).
If a record is already deleted, a repeated request would return a 404 or 403 response which means this is a possible false positive?
Some APIs receive the token via a GET parameter, instead of a request header.
Is it possible to use the Authorize extension in such scenarios?
The request lists isn't displayed anymore for some reason, it's empty.
I was working with Autorize without issues, I don't know what happend if at all.
why all result is Is enforced? detect bypass result not work!
@Quitten hey,at Autorize.py 1207,I think should
if oldStatusCode == newStatusCode:
if oldContentLen == newContentLen:
impression = self.BYPASSSED_STR
if len(filters) > 0:
if andOrEnforcement == "And":
--->
if oldStatusCode == newStatusCode:
if oldContentLen == newContentLen:
impression = self.BYPASSSED_STR
if len(filters) > 0:
if andOrEnforcement == "And":
How to install brupsuit And how to use this tool please share a video .
When there is a colon in a filter the filter does not work. When editing the filter everything after the colon is deleted. This is needed for JSON responses.
Filter applied (always shows bypassed)
Filter being modified (everything after colon removed)
Also tried using regex with the same results (even escaping colon)
First, of all. Thanks for such an awesome extension.
When a screen is compact or the screen resolution is low, the content/controls are being overflowed from the respective box and the problem is that no scrollbar is being shown at the time due to which I am unable to access the controls and different buttons. So, it lefts me with very limited functionality. Here's the screenshot of this:
The button below at the end is not visible and also not accessible.
Congratulations on the Autorize Burp extension!
May I suggest to also display the differences between the response codes (or status codes, such as 200, 302, 404, 401, 403...) associated to the original, modified and unauthorized responses in the results table, in the same way the lengths for these three responses are currently displayed?
Similarly, I think it would be very useful to include in both the Enforcement Detector and the Detector Unauthenticated sections new options in the Type field to easily filter by the response code (in the same way you can currently filter by the response length)? E.g. Detect enforcement if the response code is 302 (rather than 200).
If any additional clarification is required, please, let me know.
It would be great to be able to restrict the checks to the scope.
Hello,
First of all thank you for the awesome plugin. I have just a problem with it. Let's say I need to replace the cookies and add a CSRF header in Configuration. This successfully replaces the cookies and adds the new header at the end, but the initial header is still in the request... A concrete example of the Configuration
Cookie: periscope_domain_id=value; periscope_domain_experiment=; periscope_session=session value;
X-CSRF-Token: YXB8ZV+vTgNh8wdhpN6Ms1qyED+J4rkMR+hjCI4PV8GXP+eW8ZAU/eswvQ0UiJutp18K1dZsXFn3xqmQLynSJA==
The modified request looks like this
Host: HOST
/**/
X-CSRF-Token: IrnhXEROIJid8zfzyuyg8nq5JrVhlWVtD5VSZnPPN4q81+w6fXOGllvNSRmnYJOvWv9uG3jVKCAXbVe4tx6Vkg==
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36
/**/
Cookie: periscope_domain_id=value; periscope_domain_experiment=; periscope_session=session value;
X-CSRF-Token: YXB8ZV+vTgNh8wdhpN6Ms1qyED+J4rkMR+hjCI4PV8GXP+eW8ZAU/eswvQ0UiJutp18K1dZsXFn3xqmQLynSJA==
As you can see the first X-CSRF-Token is incorrect and the second one is the correct one. Could I do anything to solve this ?
I've got a fairly standard setup with Burp however requests are not being added to the list automatically. However if I add to the list with the context menu it will be analysed.
Running Burp Pro v1.7.29
def __init__(self, extender, callbacks, original):
self._extender = extender
self._callbacks = callbacks
self.original = original
def actionPerformed(self, e):
if self.original:
request = self._extender._currentlyDisplayedItem._originalrequestResponse
else:
request = self._extender._currentlyDisplayedItem._requestResponse
host = request.getHttpService().getHost()
port = request.getHttpService().getPort()
##### add code
proto = request.getHttpService().getProtocol()
secure = True if proto == 'https' else False
######## change code
self._callbacks.sendToRepeater(host, port, secure , request.getRequest(), "Autorize");
I used a Burp version 2020.4 and 2020.5. I could not send any request or cookie to Authorization plugin. Please verify and fix the issue.
Hi,
Authorize works perfectly however, once I click on the table it response is really slow. No matter how many requests are in list.
Using : Burp pro v2021.2.1 in Win 10
Authorize would be significantly more useful if I could spider an application with Authorize running to then review all of the results. Understandably this would be quite "noisy" and resource heavy so having it disabled by default would be recommended.
Can you please make it to support HTTP/2
I dont't want to test some HTTP methods, like PUT/DELETE/OPTIONS, but I can't find method filter in menus. How can I filter these methods?
Often I'm changing accounts and just want to leave Authorize on in the background to revisit later for an easy "gotcha". This method works, but if I change accounts midway through a test and forget to go to authorize and recapture cookies then my test case falls apart.
A setting to automatically capture cookies on the last user driven request to perform tests against would greatly enhance this functionality.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.