Search the Community

auth_analyzer The Burp extension helps you to find authorization bugs. Just navigate through the web application with a high privileged user and let the Auth Analyzer repeat your requests for any defined non-privileged user. With the possibility to define Parameters the Auth Analyzer is able to extract and replace parameter values automatically. With this for instance, CSRF tokens or even whole session characteristics can be auto extracted from responses and replaced in further requests. Each response will be analyzed and tagged on its bypass status. Why should I use Auth Analyzer? There are other existing Burp Extensions doing basically similar stuff. However, the force of the parameter feature and automatic value extraction is the main reason for choosing Auth Analyzer. With this, you don’t have to know the content of the data which must be exchanged. You can easily define your parameters and cookies and Auth Analyzer will catch on the fly the values needed. The Auth Analyzer does not perform any preflight requests. It does basically just the same thing as your web app. With your defined user roles/sessions. GUI Overview (1) Create or Clone a Session for every user you want to test. (2) Save and load session setup (3) Specify the session characteristics (Header(s) and / or Parameter(s) to replace) (4) Set Filters if needed (5) Start / Stop and Pause Auth Analyzer (6) Specify table filter (7) Navigate through Web App with another user and track results of the repeated requests (8) Export table data to XML or HTML (9) Manually analyze original and repeated requests/responses Features Session Creation for each user role Renaming and Removing a Session Clone a Session Set any amount of Headers to replace/add Set Headers to remove Set any amount of parameters to replace Define how the parameter value will be discovered (automatic, static, prompt for input, from to string) Remove a specified parameter Detailed Filter Rules Detailed Status Panel for each Session Pause each Session separately Renew Auto Extracted Parameter Value automatically Repeat Request by context menu Table Data Filter Table Data Export Functionality Start / Stop / Pause the “Auth Analyzer” Pause each Session separately Restrict session to defined scope Filter Requests with same header(s) Drop Original Request functionality Detailed view of all processed Requests and Responses Send Header(s) and/or Parameter(s) directly to Auth Analyzer by Context Menu Autosave current configuration Save to file and load from file current configuration [hide][Hidden Content]]

VMware VeloCloud versions 3.3.0 and 3.2.2 suffer from an authorization bypass vulnerability. View the full article

RSA NetWitness versions prior to 10.6.6.1 and 11.2.1.1 suffer from an issue where an unauthorized attacker can access an administrative resource that may contain plain text credentials to a 3rd party system. View the full article

CUJO Firewall suffered from authorization bypass, denial of service, and user enumeration vulnerabilities. View the full article

ownCloud version 0.1.2 suffers from a user impersonation authorization bypass vulnerability. View the full article