1. Support Center
  2. BApp Store
  3. Auth Analyzer

Auth Analyzer

The extension helps you to find authorization bugs. Just navigate through the web application with a high privileged user and let the Auth Analyzer repeat your requests for any defined non-privileged user. CSRF Tokens of the non-privileged users will be extracted and replaced automatically and each response will be analyzed on its bypass status.

How does it work?

  1. Create a "New Session" for each user role you want to test (e.g. admin, normal_user, unauthenticated, ...)
  2. Paste the session characteristic (e.g. Session Cookie, Authorization Header, ...) for each role into the text area "Header(s) to replace". Use the whole header for it (e.g. Cookie: session=123456;). Header(s) can be marked and send from anywhere to Auth Analyzer over the standard context menu (mark text and right click).
  3. Optional: Define CSRF Token Name for each role
    • With a dynamic value (the CSRF token value will be automatically grepped if it is present in a HTML-input tag or JSON object of a given response)
    • With a static value (value can be defined)
    • Remove CSRF Token (to test CSRF check mechanism or for other purposes)
  4. Optional: Add your preferred "Grep and Replace" Rules (a start and stop string can be defined for Grep and Replace. Each grepped value will be replaced within the defined Replace rule of the given session).
  5. Define Filters (only relevant requests should be processed)
  6. Start the Auth Analyzer.
  7. Navigate with a high privileged user through the web application and access resources / functions which should not be accessible by your defined roles (sessions). All unfiltered proxy request will be modified, repeated and analyzed (for each role) by the Auth Analyzer. The results are displayed in the Auth Analyzer Tab.
Author Simon Reinhart
Version 1.0.1
Last updated 13 November 2020

You can install BApps directly within Burp, via the BApp Store feature in the Burp Extender tool. You can also download them from here, for offline installation into Burp.

You can view the source code for this BApp by visiting our GitHub page.
Follow @BApp_Store on Twitter to receive notifications of all BApp releases and updates.
Download BApp

Please note that extensions are written by third party users of Burp, and PortSwigger Web Security makes no warranty about their quality or usefulness for any particular purpose.

Go back to BappStore