forked from Quitten/Autorize
-
Notifications
You must be signed in to change notification settings - Fork 58
Expand file tree
/
Copy pathBappDescription.html
More file actions
40 lines (38 loc) · 2.28 KB
/
BappDescription.html
File metadata and controls
40 lines (38 loc) · 2.28 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
<p>
Autorize is an automatic authorization and authentication enforcement detection extension that identifies access
control vulnerabilities in web applications. It monitors traffic from a high-privileged user, automatically replays
those requests with low-privileged or unauthenticated credentials, and analyzes responses to detect authorization
bypasses and authentication weaknesses.
</p>
<h2>Features</h2>
<ul>
<li>Automatic detection of authorization and authentication enforcement issues by replaying requests with different
privilege levels</li>
<li>Support for multiple low-privileged users with independent enforcement detection and match/replace rules</li>
<li>Configurable enforcement detection using status codes, response headers, body content, regex patterns, and
response length</li>
<li>Flexible interception filters based on scope, URL patterns, HTTP methods, request/response headers and body
content</li>
<li>Visual status indicators showing whether authorization is bypassed, enforced, or requires manual configuration
</li>
<li>HTML and CSV export for reporting</li>
</ul>
<h2>Usage</h2>
<ol>
<li>Navigate to the Autorize tab and open the Configuration section</li>
<li>Add low-privileged user credentials by specifying authorization headers or cookies that will be injected into
replayed requests</li>
<li>Optionally configure enforcement detectors to define custom rules for identifying when authorization is properly
enforced</li>
<li>Set up interception filters to control which requests should be tested (e.g., scope-only, URL patterns, HTTP
methods)</li>
<li>Browse the application as a high-privileged user. The extension
automatically repeats every request with the session of the low privileged user and detects authorization
vulnerabilities.</li>
<li>Review the results table where each request shows enforcement status: Bypassed (red), Enforced (green), or
uncertain (yellow)</li>
<li>Select any entry to compare the original response with the modified low-privileged and unauthenticated responses
</li>
<li>For uncertain results, configure enforcement detectors with specific patterns that indicate proper authorization
enforcement</li>
</ol>