Autorize

Autorize is an automatic authorization and authentication enforcement detection extension that identifies access control vulnerabilities in web applications. It monitors traffic from a high-privileged user, automatically replays those requests with low-privileged or unauthenticated credentials, and analyzes responses to detect authorization bypasses and authentication weaknesses.

Features

• Automatic detection of authorization and authentication enforcement issues by replaying requests with different privilege levels
• Support for multiple low-privileged users with independent enforcement detection and match/replace rules
• Configurable enforcement detection using status codes, response headers, body content, regex patterns, and response length
• Flexible interception filters based on scope, URL patterns, HTTP methods, request/response headers and body content
• Visual status indicators showing whether authorization is bypassed, enforced, or requires manual configuration
• HTML and CSV export for reporting

Usage

1. Navigate to the Autorize tab and open the Configuration section
2. Add low-privileged user credentials by specifying authorization headers or cookies that will be injected into replayed requests
3. Optionally configure enforcement detectors to define custom rules for identifying when authorization is properly enforced
4. Set up interception filters to control which requests should be tested (e.g., scope-only, URL patterns, HTTP methods)
5. Browse the application as a high-privileged user. The extension automatically repeats every request with the session of the low privileged user and detects authorization vulnerabilities.
6. Review the results table where each request shows enforcement status: Bypassed (red), Enforced (green), or uncertain (yellow)
7. Select any entry to compare the original response with the modified low-privileged and unauthenticated responses
8. For uncertain results, configure enforcement detectors with specific patterns that indicate proper authorization enforcement