I'm excited to introduce Auth Mutator, a Burp Suite extension designed to streamline advanced authentication testing and IDOR discovery. Auth Mutator allows you to define complex modification rules, impersonate multiple user roles, and efficiently spot interesting behaviors—all while keeping your original traffic intact.
🌟 Key Features
🎭 Multi-Role Testing
- User Profiles: Define and manage multiple identities (e.g., "Admin", "User A") with their specific authentication tokens (Headers/Cookies).
- Dynamic Impersonation: Easily swap the identity of any request by applying a User Role.
- Granular Control: Edit, toggle, and manage roles directly from the unified dashboard.
⚡ Powerful Replacement Rules
- Flexible Mutations: Modify headers, body parameters, and URL parameters with precision.
- Regex Support: Use regular expressions for complex matching and replacement.
- Role Binding: Link rules to specific User Roles to simulate targeted attacks (e.g., forcing a request to run as "User B" while accessing "User A's" resource).
🔍 Advanced Logging & Analysis
- Three-Way View: Inspect the Original request, the Modified result, and an optional Unauthenticated probe side-by-side.
- Smart Diff: built-in diff viewer highlights exactly what changed in the request and response.
- Highlight Rules: Define logic (e.g., status codes, body content) to automatically colour-code interesting responses in the log.
🛡 safe & Efficient Workflow
- Quick Controls: Toggle proxy interception, scope restrictions, and preview modes instantly.
- Safe Mode: Preview changes and calculate diffs without sending modified traffic to the target (Preview in Proxy).
- State Persistence: Automatically saves your configuration, rules, and roles to disk (
~/.AuthMutator.json). Integrated Import/Export allows for easy sharing of configurations.
📦 Installation
- Download the
Auth Mutator.jarfrom the assets below. - Open Burp Suite -> Extensions -> Installed.
- Click Add, select Java as the extension type, and load the JAR file.
Happy Hunting!