Authentication and Authorization security testing is an Important Test Case for any web application penetration testing. Authentication ensures that only authorized users can access the application functionality and its resources, while authorization ensures that users are only granted access to the resources and functions that are appropriate for their level of authorization.
Here are the Plugins that allow you to automate the Authentication and Authorization Security Testing.
Autorize (For Burp Suite):
Quitten
/
Autorize
Automatic authorization enforcement detection extension for burp suite written in Jython developed by Barak Tawily in order to ease application security people work and allow them perform an automatic authorization tests
Autorize
Autorize is an automatic authorization enforcement detection extension for Burp Suite. It was written in Python by Barak Tawily, an application security expert. Autorize was designed to help security testers by performing automatic authorization tests. With the last release now Autorize also perform automatic authentication tests.
Installation
- Download Burp Suite (obviously): http://portswigger.net/burp/download.html
- Download Jython standalone JAR: http://www.jython.org/download.html
- Open burp -> Extender -> Options -> Python Environment -> Select File -> Choose the Jython standalone JAR
- Install Autorize from the BApp Store or follow these steps:
- Download the Autorize.py file.
- Open Burp -> Extender -> Extensions -> Add -> Choose Autorize.py file.
- See the Autorize tab and enjoy automatic authorization detection :)
User Guide - How to use?
- After installation, the Autorize tab will be added to Burp.
- Open the configuration tab (Autorize -> Configuration).
- Get your low-privileged user authorization token header (Cookie / Authorization) and copy it into theβ¦
Access Control Testing add-on (For OWASP ZAP):
Free Learning Resources for Application Security and Penetration Testing
Learning portal for Application Security and DevSecOps Engineers. It contains well-written and in-depth articles on Software Security and DevSecOps
blogs.appsecworld.com
Top comments (0)