whatminjacodes [she/they]Background
As an Information Security Specialist at 2NS, I get to learn something new about cybersecurity every day. Through this blog, I aim to share insights, tools, and techniques that I find valuable in my work, hoping to help others in the field.
In this post, I’ll be discussing the Auth Analyzer extension and how it can be used to effectively test authorization in web applications.
What is Auth Analyzer?
Auth Analyzer is a Burp Suite extension designed to help security testers evaluate authorization mechanisms in web applications. It automates the process of checking access control vulnerabilities, such as horizontal and vertical privilege escalation. The extension allows testers to define multiple user roles and automatically send requests from these sessions to verify if a user can perform actions or access resources outside their intended permissions.
Tutorial
Let's install and use Auth Analyzer next.
Prerequisites
This tutorial will not cover how to set up the PwnFox extension for your browser and Burp Suite. I have written another tutorial on that, so please check it out first, and then come back here: How to use PwnFox in Burp Suite.
My setup:
- Ubuntu 22.04.4 LTS
- Burp Suite Community Edition (free version) with PwnFox extension installed
- Firefox browser with PwnFox extension installed
Install Auth Analyzer Extension
Installing the Auth Analyzer extension is simple! Just open Burp Suite, go to Extensions -> BApp Store, find Auth Analyzer from the list of available extensions, and click "Install".
This will add a new tab to Burp Suite, as seen in the screenshot above.
Create an Account for the Test Webpage
Let's use OWASP Juice Shop as an example to use Auth Analyzer with. OWASP Juice Shop is an intentionally insecure web application that "can be used in security trainings, awareness demos, CTFs, and as a guinea pig for security tools!"
Open a new tab container with a color of your choice from the PwnFox browser extension, navigate to OWASP Juice Shop (https://juice-shop.herokuapp.com/#/), and go to Account -> Login from the top right corner of the page.
Then click "Not yet a customer?".
Add some details to the registration form and click "Register." You don't need to use any real information.
After this, you should be able to log in using the credentials you chose. Do the same with another container tab and create a new account with different information. Remember to choose a different tab color so the container will open a new session.
Now you have two different user sessions open on two different container tabs. Go to Burp Suite and open Proxy -> HTTP history to ensure you get traffic highlighted with two different colors.
Creating Sessions in Auth Analyzer
Next, we can set up the Auth Analyzer extension in Burp Suite. Go to the Auth Analyzer tab in Burp.
You can double-click on "user1" to rename the session to something you want. I created two users, example-user-1 and example-user-2, so I'll just stick to "user1" and "user2" as my session names.
Then go to Proxy -> HTTP history and find a request that has a Cookie header set. I chose the "GET /rest/user/whoami" request and copied the entire Cookie header.
Go back to the Auth Analyzer tab and paste the copied cookie into "Header(s) to Replace."
Then click on the three dots next to "user1" and select "Add New Session." Give the session a name and copy the cookie of another user into "Header(s) to Replace", similarly as we did with "user1."
Now you have two different sessions set in Auth Analyzer! When we start the extension, it will send requests to the website using both cookies.
On the right side of the extension, there are some settings. You can add the website you are testing to scope, so the extension will not send the cookies to any external services. One way to do this is by going to the Target tab in Burp.
Go to Target -> Site map to see a list of websites you have browsed while Burp Suite has been proxying traffic. Right-click on "https://juice-shop.herokuapp.com" and select "Add to scope."
You will see a prompt asking if you want Burp to stop sending out-of-scope items to the history and other Burp tools. Click "Yes."
Now we can go back to the Auth Analyzer tab and click the "Analyzer Stopped" button to start the extension.
Testing Access Control with Auth Analyzer
Go back to your browser and start navigating the website. The Auth Analyzer extension tab in Burp should start receiving traffic.
The extension will show if the requests sent with different cookies return the "same," "similar," or "different" responses.
If the response is "same," it means both sessions were able to see the same response to the sent request. "Similar" has some similarities but is not exactly the same, and "different" means the response was different for both users.
Click one of the requests on the list. This will show the request and response sent using the different sessions. You can click "Compare view" to see the requests of both users at the same time.
As seen in the screenshot above, we can see the request to "/profile" was "same" for "user1" and "different" for "user2." I was using the session of "user1" when navigating to the profile page on the browser, so the response for the request was expected to be the "same" for "user1." It would be an issue if the response for "user2" was also tagged as "same," because it would mean that "user2" was able to see the profile of "user1." Though I guess getting a "500 Internal Server Error" would also be an issue on a real page :D
But this is the basics of how you can test for issues in authorization and access control using Auth Analyzer! Remember to stop the extension after you have navigated through the webpage on the browser window so it will not keep sending multiple requests to the website constantly.
By the way, you can use Auth Analyzer to also check authorization for unauthenticated users by creating a new session and just leaving the Cookie header empty!
That's it!
I hope this blog post helped you to understand how Auth Analyzer can be used for testing authorization and access control!
Follow me on Instagram @whatminjahacks for a behind-the-scenes look at my work as an Information Security Specialist at 2NS, and to learn more cybersecurity tips and insights!
