$ git blame 4: Quitten/Autorize

Apr 18, 20

$ git blame

Hi folks. This continues the ongoing series of short posts where I outline the minor commits I make to security related OSS. Honestly, these posts are mostly for my own benefit, documenting where I found it worth dusting off my coding skills to make my life easier!

The Tool

This post will be discussing my minor commit to Autorize.

Autorize is a hugely useful Burp Suite extension (BApp) that is designed to help security testers by performing automatic authorization tests.

The Problem

When performing a penetration test of a web application, my Autorize workflow involved:

  1. Grabbing a low-privilege authorization cookie/header
  2. Loading that cookie/header into Autorize
  3. Authenticating to the application with the highest-privilege user or role
  4. Turning on Autorize, and navigating the application

When looking at the results in Autorize, I frequently had to manually triage results to figure out where and how authorization was enforced. Most of the time, the easiest way to do this was by comparing the responses. At the time, Autorize didn’t support this natively, and so I found myself spending time copying over each response into Comparer. This only took a minute each time, but after a few rounds of this it quickly got frustrating.

My Contribution

PR#37

To improve this workflow, I implemented a “Send Responses to Comparer” feature for Autorize. Developing this feature was significantly easier as a very similar “Send Request to Repeater” feature was already in place.

Luckily, the Burp Extender API has support for a SendToComparer method. This means that all I had to do was add an Item to the Send Response Menu, and wrap a call to sendToComparer for each of the original, modified, and unauthorized responses in a single class method.

Once it was merged and pushed to the BApp, I’ve been able to use it across a dozen engagements, and breath a sigh of relief each time!