securityinnovation / authmatrix Goto Github PK

Hi
Working on an app that has multiple session tokens so in the session token field I've put e.g.
a=1; b=2
When I came to run the test AuthMatrix has added those tokens to the original request, not replaced them. So in the Cookie field for a request from the above user I'd have something like:
a=5; b=6; a=1; b=2
where a=5 and b=6 came from the original request. Surely AuthMatrix should replace the values of cookies from the original request. If the app is using the first session management values it encounters then the above does not switch users/roles as a=1; b=2 will be ignored.
Is this because AuthMatrix cannot handle multiple session tokens, or some other bug?
Thanks

As of Burp version 1.7.28 the color scheme has changed. AuthMatrix should be changed to match this.

SyntaxError: ("no viable alternative at input 'for'", ('**********\Roaming\BurpSuite\bapps\30d8ee9f40c041b0bfec67441aad158e\AuthMatrix.py', 1319, 58, ''))

This naming is confusing and doesn't properly describe its purpose. Find a phrase that describes it better.

The Post Parameter field of the User table was initially just used for adding Static CSRF tokens to requests. There are several more use cases where it may be helpful, but it needs to be updated first.

Use Cases:

1. If you want to generate a new session token with your first request, use this field to replace the username and password parameters of the login request. Then you can use a Chain to populate the resulting session token into the remaining messages.

2. If you need unique parameters for each user but do not have a response that can be chained.

For example, say each user of an API has a UserID that is part of the POST body of each request, but these IDs are known values and are not returned from any of the requests.

It would be an interesting auth check to see what happens when users try an incorrect UserID, but it is also important to test requests when UserIDs match the authenticated user's session but don't match another asset (i.e. receiptID, transactionID, etc).

Updates Needed for the POST Parameter field:

• Support handling more than one token
• Support handling replacement of GET/URL parameters as well
• Support replacement of Body when content type is JSON
• Support restricting this replacement to individual requests, similar to DEST in Chaining (i.e. replace user and password in request 0 but not in any of the other requests)

One possibility up for consideration is just getting rid of this field entirely and replace it with a static values.

For example, the user table will have:

ID | User Name | Cookies | HTTP Header | Static Value 1| Static Value 2 | ... | Role1 | Role 2 | ...

Then the Chains table could be updated to use a static value in certain cases instead of a source message's response. The Destination Regex can determine where in the message it is used.

If a user configures the table and sees a checked role box in the message table that is red after run, it usually implies that the success regex is incorrect or the session tokens have expired. Consider coloring that box a different color than red to indicate this error to the user.

The green/red results are nice, but i'm finding myself having to manually copy/write the data across into a spreadsheet to then pass on to clients.

It would be really awesome if we could export this as a CSV file.

Say request 1 outputs an ID, but request 2 uses that Base64(ID) as a GET parameter. Find a way to support that. Perhaps with an encoding drop down option in the Chains table.

When a web application is using OAuth 2.0 authorization flows to access OAuth protected resources, a request looks something along the lines of

GET /resource HTTP/1.1
Host: server.example.com
Authorization: Bearer mF_9.B5f-4.1JqM

Is it possible to use AuthMatrix in this scenario? (i.e. when web applications employ the Authorization HTTP header for providing authentication information)

Thanks.

Currently no way to do this from the extension, but this may be added in a later release of the API

https://support.portswigger.net/customer/portal/questions/17021073-custom-hotkey-for-burp-extension

Useful for when you run a delete request but want the known valid users to run last

When attempting to run any request I always get the following response:

<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
Request header field is missing ':' separator.<br />

Repro:

1. Clear AuthMatrix state
2. Send request to AuthMatrix
3. Create New Role

In complex applications the Requests Table can get out-of-hand. It would be nice to be able to sort and to search the requests similar to other tabs in Burp (e.g. Target and Proxy tabs).

As it stands right now, if you add a URL, add a bunch more unrelated, and then add another similar to the first one, they are not in a logical order and you cannot move (renumber) them, nor sort them, nor search them. It can be become slow to determine if a URL in already in the matrix or not.

I have to use the AuthMatrix again and here are a few more feature requests that I thought having them would be useful for everyone:

1- A right-click context menu to send the cookies/headers from the current request (in proxy/repeater/...) to the config tab of AuthMatrix so that it can be assigned to a defined user. Even more smooth option would be able to generate a sub-menu for Add-cookie, containing list of defined users in AuthMatrix.

2- Auto monitoring of URLs passed through the burp proxy, so that when the user is browsing the application, every proxied request is automatically checked against defined rules. While one can do the same by crawling the app and add all site contents to the AuthMatrix, the live mode will reduce the overall load as well as making it easier to link the actions performed in the UI with back-end requests. This becomes an issue with heavily ajax based applications where lots of background requests are processed for a single click/change in the UI. A similar burp extender named 'Authorize' has already implemented this concept but that plugin has some other issues making it less convenient to use.

Thank you! :)

It would be really useful if I could define multiple regexes for each defined request.

Ideally, on some form of configuration tab, I could:

• Define regexes in a 'global table'
• Define whether they are a 'success' or 'failure'
• Give them some kind of useful real world name/label/description

Then, for each request I can assign one or more of these 'global definitions' to it, and chain them together. Think a basic rules engine type thing:

• If I had A, B and C in the global table
• I could assign 'A and B' to one of my requests
• Or 'A and B and not C' to another
• Etc

Came across this need while testing an app that had a few different failure type response (HTTP error code, custom header style redirect, body text, etc)

Eg. For unauthenticated users with POST requests to protected endpoints

HTTP/1.1 200 OK
Cache-Control: private
Date: Mon, 28 Nov 2016 05:16:16 GMT
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-AspNetMvc-Version: 5.2
X-Frame-Options: SAMEORIGIN
X-Responded-JSON: {"status":401,"headers":{"location":"https:\/\/foo.com\/bar\/baz\/Index?ReturnUrl=%2Ffoo%2Fbar%2FBoinkt"}}
X-XSS-Protection: 1; mode=block
Content-Length: 0
Connection: Close

Possible fix is to only allow chains into the body of the request. Source can still pull from headers.

This might limit some use cases, so exploring other options to keep headers as a possible destination.

Currently not supported by Burp Extender API, but may be supported in the future.

Tracking here:

https://support.portswigger.net/customer/portal/questions/12980903-saving-state-for-extension-data

Investigate how to automatically add requests to AuthMatrix without generating excessive false positives.

Currently selecting a directory of requests from the Burp Targets list and sending to AuthMatrix causes unexpected behavior. Until fixed, users must manually select specific requests (though multiple can be selected at once).

Perhaps have a tab for each config

When we 'send to authmatrix', the tab should get highlighted.

If you're not using the chains feature of AuthMatrix, the 3rd pane should be hidden

Potential Idea:

Add an automatic role for each user added that only appears in the Requests Table. These roles will only include that one user and will show up with the column name "username (only)"

This would be helpful for testing cross-user authorization so that you wont need to make a specific role titled "only employee 1" to test an asset owned by employee 1

My first time using this, but so far it's amazing. In the application I'm testing, they are passing the CSRF token via GET parameter in a few locations. While this is an issue by itself, I still need to test the application logic.

If this is something you would include, I can implement and submit a PR.

This is a minor one, and largely asthetic, but it would be useful to be able to rearrange the role tabs I have created.

Current workaround is to just delete them all and redefine them in the right order.. but that is less than ideal.

The UI doesn't update while testing, and there is basically no indication of whether it's working or has crashed until it is all finished and updates.

It would be good to have some kind of visual indication, either updating each request line/role as it processes, or a progress bar showing how far through it is (possibly with the option to pause/abort)

Not really sure what is going on, but every time I run my requests, this extension will freeze Burp completely. I try to right-click on the user accounts and nothing happens. I have to kill the process and restart Burp. Does anyone else have this problem? If I find out more information about this, I'll let you know, but not obvious logs show up.

@mickayz : first of all, AMAZING extension! :)

The "Enabled" column in chain section missing in AuthMatrix version 0.7 (see attached screenshot below)

Could you please provide more details on how chains are supposed to be used if there is no more a way to select / deselect the chains that are not needed for a particular test?

One additional question.
If we look at provided screenshot in section called "Chains for Authenticating Users", there are 3 chains which will generate a cookie for each of the users that have to be tested. Say there is a timeout set to disconnect users after 10 minutes of no activity. Is it possible to create a chain that will prevent the disconnection of the users?

Is there a way to launch a Burp macro from a chain?

Thanks in advance.
Cheers,

It would be extremely useful to allow temporary enabling/disabling of users. For example, when I want to quickly check whether a DELETE request can be performed by other users than the owner, I would like to exclude the owner for this request run.

I would see this as a simple checkbox in front of each user row in the user table, which will be taken into account in the request table (no request sent for unchecked but existing users).

Bug in Burp Extender API. Tracking here:

https://support.portswigger.net/customer/en/portal/questions/16705314-imessageeditor-ismessagemodified-does-not-detect-modification

I think it would be useful to have an intermediate mapping of permissions, that is a level between roles and requests. For example, in an app with many roles, with many permissions per role, where a requests is either permitted or denied based on a permission, it could be helpful to be able to group requests into permissions.

What I'm imagining is being able to add headings to the list of requests, and being able to collapse a heading. This may make navigating the list of requests easier.

It may also be handy to be able to configure the permissions assigned to roles.

In the current app I am testing (12+ user roles, auth tokens and CSRF headers, really short timeouts) it is sort of a pain to have to go and manually update the auth tokens and CSRF headers all the time.

I've written some python to externally handle the logins, and spit out the required data, but it's a process of copy/pasting at the moment.

It would be cool if we could import/update the user/roles field with a CSV file or similar.

That way, I could have my external code spit everything out in the right format, then a single copy/paste to update AuthMatrix.

Possibly if a column is missing in the CSV, it just isn't updated in AuthMatrix (so we only have to generate the fields we want to update)

The regex now is calculated dynamically based on the response of the initial request, but sometimes it's more useful to have a static regex (e.g. a generic "No permission" message that is present on all authorization-related error pages).

I would see this as a button at the bottom (e.g. "Regex configuration") where you have (at least) two options:

• Regex based on status code of original response
• Default static value

Furthermore, a global checkbox whether to invert the regex or not would also be shown in this window. Ideally, upon saving/loading the Authmatrix plugin configuration, this setting would also be taken into account.

Currently when loading a config, Burp must make each original request again. This is a constraint of the api.

If Burp can't complete the request, possibly due to the domain having changed, it will load all users and roles, but will not load the request.

It would be nice to allow these requests to load anyway so a user could change the domain and keep the request list and role table config.

It would be cool to be able to auto detect an invalidated/logged out session, and relogin.

Something like:

• Define a login request (eg. POST /login user=foo&pass=bar), and define which cookies/headers/etc to extract from that on a settings tab or similar.
• Allow entering account passwords along with the usernames
• Probably a setting to configure if it should auto-login, and maybe a button for each user; 're-login' or similar (in case you don't want to do it automagically)
• Being able to customize what denotes a 'logged out/invalid session' would be useful as well (see #20 RE: multiple regexes)

The current workaround to this is to notice when the session is invalid/logged out, and manually issue the request through repeater/similar to login, then manually copy the appropriate tokens over, for each user that you have defined.

I came across this issue while testing an app that had rather forced short timeout windows (and interacting with the session didn't extend it)

Add a drop-down menu for the SRC fields with available user and message IDs

It could be nice to make the base request editable from within AuthMatrix. At the moment, if you want to make a change, you have to remove the request from the matrix, make the modification elsewhere (e.g. in repeater) and send it back into AuthMatrix.

Thank you for this very nice extension.

I think this feature request hasn't been asked before.

Currently, AuthMatrix uses the regex ^HTTP/1\.1 200 OK in the "Response Regex" column after adding a request. That works okay but it is very common to deal with other responses (e.g. 200 - without "OK" at the end - , 204, redirects, etc), so there is a constant need for tweaking the value. It would be really nice to infer the value based on the original response, so if the request I send to AuthMatrix is returning a HTTP/1.1 200 response, then that value would be used in the "Response Regex" column for that particular request (e.g. ^HTTP/1\.1 200)

Regards

Traceback (most recent call last):
File "", line 1, in
OSError: (22, 'Invalid argument', 'E:\Users\*************\AppData\Roaming\BurpSuite\x08apps\x18d8ee9f40c041b0bfec67441aad158e')

at org.python.core.Py.OSError(Py.java:162)
at org.python.modules.posix.PosixModule.absolutePath(PosixModule.java:1166)
at org.python.modules.posix.PosixModule.chdir(PosixModule.java:289)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.python.core.PyReflectedFunction.__call__(PyReflectedFunction.java:186)
at org.python.core.PyReflectedFunction.__call__(PyReflectedFunction.java:204)
at org.python.core.PyObject.__call__(PyObject.java:461)
at org.python.core.PyObject.__call__(PyObject.java:465)
at org.python.pycode._pyx2.f$0(<string>:1)
at org.python.pycode._pyx2.call_function(<string>)
at org.python.core.PyTableCode.call(PyTableCode.java:167)
at org.python.core.PyCode.call(PyCode.java:18)
at org.python.core.Py.runCode(Py.java:1386)
at org.python.core.Py.exec(Py.java:1430)
at org.python.util.PythonInterpreter.exec(PythonInterpreter.java:267)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at burp.n0e.<init>(Unknown Source)
at burp.oub.a(Unknown Source)
at burp.e4b.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)

Chains should have an idea of request dependencies so that all source chains are run first. This is a main issue when you only select one request to run but the chain requires a previous request to run first.

It would be AWESOME if AuthMatrix provided a third option for defining what identifies a user. There are countless times I have been on an engagement and wished i could use authmatrix to test a request that required modifying part of the request in addition-to/instead-of changing session cookies. Adding a regexp or simple match/replace would also let me "unwind the manual for-loop" in other parts of testing process.

If you really wanted to knock it out of the park you could use something like the positions tab from intruder for super flexibility.

Give my best to everyone.

Could be a good solution for renewing session tokens and refreshing csrf tokens.

There may be the need for a failure regex as well in cases where the desired condition can't be mapped with a success regex alone.

eg:
Fail case: "Not Authorized" in response body
Success case: Returns specific user's name (unique to each user and not regex-able)

Currently all deleted Roles, Users, and Messages are still being saved in the state file with a Deleted flag set to True. Removing these items while preserving the correct indexes might take some work.

Repro:

1. Clear AuthMatrix state
2. Send request to AuthMatrix
3. Create New Role

Stacktrace
Traceback (most recent call last):
File "/AuthMatrix/AuthMatrix.py", line 337, in getInputRoleClick
self._db.getOrCreateRole(newRole)
File "/AuthMatrix/AuthMatrix.py", line 629, in getOrCreateRole
self.arrayOfMessages[messageIndex].addRoleByIndex(userIndex)
UnboundLocalError: local variable 'userIndex' referenced before assignment

In certain rare cases, an empty value is written during a state save.

No reliable repro steps as of yet.

A warning will be added in 7.1

Hi,
I tried your extension last night on a windows host and all was fine, however my main pen-testing system is Linux based (Arch Linux, Jython version is 2.7, never had issue with this with any other extensions that require it, Java is version 8) and I added the extension this morning without issue, until I came to create the users and roles in the extension.
The extension took the names for the new users and roles but displayed nothing, so I checked the log in the extender tab, the output is below;

Traceback (most recent call last):
File "/usr/share/burpsuite/bapps/30d8ee9f40c041b0bfec67441aad158e/AuthMatrix.py", line 327, in getInputUserClick
self._db.getOrCreateUser(newUser)
File "/usr/share/burpsuite/bapps/30d8ee9f40c041b0bfec67441aad158e/AuthMatrix.py", line 568, in getOrCreateUser
self.arrayOfUsers.append(UserEntry(userIndex,
AttributeError: 'java.util.ArrayList' object has no attribute 'append'
Traceback (most recent call last):
File "/usr/share/burpsuite/bapps/30d8ee9f40c041b0bfec67441aad158e/AuthMatrix.py", line 333, in getInputRoleClick
self._db.getOrCreateRole(newRole)
File "/usr/share/burpsuite/bapps/30d8ee9f40c041b0bfec67441aad158e/AuthMatrix.py", line 590, in getOrCreateRole
self.arrayOfRoles.append(RoleEntry(roleIndex,
AttributeError: 'java.util.ArrayList' object has no attribute 'append'
Traceback (most recent call last):
File "/usr/share/burpsuite/bapps/30d8ee9f40c041b0bfec67441aad158e/AuthMatrix.py", line 327, in getInputUserClick
self._db.getOrCreateUser(newUser)
File "/usr/share/burpsuite/bapps/30d8ee9f40c041b0bfec67441aad158e/AuthMatrix.py", line 568, in getOrCreateUser
self.arrayOfUsers.append(UserEntry(userIndex,
AttributeError: 'java.util.ArrayList' object has no attribute 'append'
Traceback (most recent call last):
File "/usr/share/burpsuite/bapps/30d8ee9f40c041b0bfec67441aad158e/AuthMatrix.py", line 333, in getInputRoleClick
self._db.getOrCreateRole(newRole)
File "/usr/share/burpsuite/bapps/30d8ee9f40c041b0bfec67441aad158e/AuthMatrix.py", line 590, in getOrCreateRole
self.arrayOfRoles.append(RoleEntry(roleIndex,
AttributeError: 'java.util.ArrayList' object has no attribute 'append'

If you require any further details please let me know and I'll be happy to help out

Thanks

Dave

This is a feature request.

After adding roles and users, AuthMatrix allows you to save and load target configurations, which includes cookies and headers. In many cases, cookies need to be updated for obvious reasons and that's not a problem when you're dealing with a small number of users/roles. However, I came across a use case in which I needed to update more than 15 cookies corresponding to every single role in the application. I was going to work with this target for a while, so I wrote a node script to collect all the cookies programmatically, but unfortunately, I still needed to copy-paste in AuthMatrix.

I noticed that the current that AuthMatrix saves target configurations in JSON, but the output includes a lot of fields used internally and it doesn't seem straightforward to construct such output programmatically. Would it be possible to accept files that are easier to construct automatically? For example, something like this:

[
  { 
     "username": "user1",
     "cookies": "cookie=value; othercookie=value2",
     "headers": "myheader: myvalue",
     "roles": ["role1", "role2"]
   },
...
]

Alternatively, if this is already possible, I would appreciate if you could provide an example describing the output AuthMatrix is expecting in order to populate the different fields used in the extension.

Thanks!