DEV Community

Cover image for Testing Authorization with Auth Analyzer in Burp Suite
whatminjacodes [she/they]
whatminjacodes [she/they]

Posted on

Testing Authorization with Auth Analyzer in Burp Suite

Background

As an Information Security Specialist at 2NS, I get to learn something new about cybersecurity every day. Through this blog, I aim to share insights, tools, and techniques that I find valuable in my work, hoping to help others in the field.

In this post, I’ll be discussing the Auth Analyzer extension and how it can be used to effectively test authorization in web applications.

What is Auth Analyzer?

Auth Analyzer is a Burp Suite extension designed to help security testers evaluate authorization mechanisms in web applications. It automates the process of checking access control vulnerabilities, such as horizontal and vertical privilege escalation. The extension allows testers to define multiple user roles and automatically send requests from these sessions to verify if a user can perform actions or access resources outside their intended permissions.

Tutorial

Let's install and use Auth Analyzer next.

Prerequisites

This tutorial will not cover how to set up the PwnFox extension for your browser and Burp Suite. I have written another tutorial on that, so please check it out first, and then come back here: How to use PwnFox in Burp Suite.

My setup:

  • Ubuntu 22.04.4 LTS
  • Burp Suite Community Edition (free version) with PwnFox extension installed
  • Firefox browser with PwnFox extension installed

Install Auth Analyzer Extension

Installing the Auth Analyzer extension is simple! Just open Burp Suite, go to Extensions -> BApp Store, find Auth Analyzer from the list of available extensions, and click "Install".

Installing the extension

This will add a new tab to Burp Suite, as seen in the screenshot above.

Create an Account for the Test Webpage

Let's use OWASP Juice Shop as an example to use Auth Analyzer with. OWASP Juice Shop is an intentionally insecure web application that "can be used in security trainings, awareness demos, CTFs, and as a guinea pig for security tools!"

Open a new tab container with a color of your choice from the PwnFox browser extension, navigate to OWASP Juice Shop (https://juice-shop.herokuapp.com/#/), and go to Account -> Login from the top right corner of the page.

Login page on the website

Then click "Not yet a customer?".

Registration of a new user

Add some details to the registration form and click "Register." You don't need to use any real information.

Logged in user

After this, you should be able to log in using the credentials you chose. Do the same with another container tab and create a new account with different information. Remember to choose a different tab color so the container will open a new session.

Burp highlighting the different sessions

Now you have two different user sessions open on two different container tabs. Go to Burp Suite and open Proxy -> HTTP history to ensure you get traffic highlighted with two different colors.

Creating Sessions in Auth Analyzer

Next, we can set up the Auth Analyzer extension in Burp Suite. Go to the Auth Analyzer tab in Burp.

Renaming the session

You can double-click on "user1" to rename the session to something you want. I created two users, example-user-1 and example-user-2, so I'll just stick to "user1" and "user2" as my session names.

Finding cookies from requests

Then go to Proxy -> HTTP history and find a request that has a Cookie header set. I chose the "GET /rest/user/whoami" request and copied the entire Cookie header.

Setting cookies in the extension

Go back to the Auth Analyzer tab and paste the copied cookie into "Header(s) to Replace."

Creating a new session

Then click on the three dots next to "user1" and select "Add New Session." Give the session a name and copy the cookie of another user into "Header(s) to Replace", similarly as we did with "user1."

Now you have two different sessions set in Auth Analyzer! When we start the extension, it will send requests to the website using both cookies.

Extension settings

On the right side of the extension, there are some settings. You can add the website you are testing to scope, so the extension will not send the cookies to any external services. One way to do this is by going to the Target tab in Burp.

Adding scope

Go to Target -> Site map to see a list of websites you have browsed while Burp Suite has been proxying traffic. Right-click on "https://juice-shop.herokuapp.com" and select "Add to scope."

Prompt about the scope

You will see a prompt asking if you want Burp to stop sending out-of-scope items to the history and other Burp tools. Click "Yes."

Now we can go back to the Auth Analyzer tab and click the "Analyzer Stopped" button to start the extension.

Testing Access Control with Auth Analyzer

Go back to your browser and start navigating the website. The Auth Analyzer extension tab in Burp should start receiving traffic.

Traffic visible in the extension

The extension will show if the requests sent with different cookies return the "same," "similar," or "different" responses.

If the response is "same," it means both sessions were able to see the same response to the sent request. "Similar" has some similarities but is not exactly the same, and "different" means the response was different for both users.

Click one of the requests on the list. This will show the request and response sent using the different sessions. You can click "Compare view" to see the requests of both users at the same time.

Profile request

As seen in the screenshot above, we can see the request to "/profile" was "same" for "user1" and "different" for "user2." I was using the session of "user1" when navigating to the profile page on the browser, so the response for the request was expected to be the "same" for "user1." It would be an issue if the response for "user2" was also tagged as "same," because it would mean that "user2" was able to see the profile of "user1." Though I guess getting a "500 Internal Server Error" would also be an issue on a real page :D

But this is the basics of how you can test for issues in authorization and access control using Auth Analyzer! Remember to stop the extension after you have navigated through the webpage on the browser window so it will not keep sending multiple requests to the website constantly.

Unath user session

By the way, you can use Auth Analyzer to also check authorization for unauthenticated users by creating a new session and just leaving the Cookie header empty!

That's it!

I hope this blog post helped you to understand how Auth Analyzer can be used for testing authorization and access control!

Follow me on Instagram @whatminjahacks for a behind-the-scenes look at my work as an Information Security Specialist at 2NS, and to learn more cybersecurity tips and insights!

Top comments (0)