For ease-of-use sake, could you please consider implementing an anonymous session feature, where the extension would be checking for unauthenticated requests?

Alternatively, how could this be achieved with Authorization Bearer?

Thanks,
Alex

Hi folks!

Basically this would be a new option where the user could enter a couple of rules that would complement or override the checks used to consider if something is different or not. A quick example would be this:

• Response length is somewhat similar
• The response codes are different (original request 200 vs 204)

The user could then append a rule saying if request_1 == 200 & if request_1 == 204 -> vulnerable

This could be iterated to also tweak the response length / difference analysis (that I'm not sure how it is done right now); so assuming it's something like if 95% equal -> vulnerable, the user could tweak the 95% to be e.g. 80%.

Just an idea, the extension already works perfectly. Thanks!

Match and Replace only replaces one occurrence of the matched value. Let's suppose, user-id in my request occurs 2 times but match and replace will only replace the first instance of the user-id.

Do we already have a support for parameter values which are case insensitive or can we add this feature in the upcoming upgrade? As of now, for any parameter to match, I have to write all the possible cases for the parameter, as can be seen in the screenshot .

Not sure if I found a bug or totally misunderstood what should happen. Here's the details...

How to reproduce:

• disable "Only proxy traffic"
• enable "Stop Drop Requets"
• go to Repeater, emit a request
• check the extension tab and/or Loger++ logs

Outcome:

• two entries in the extension logs tab, the first one displaying "No response to show" for the unmodified request
• three exchanges in Logger++ (1 from Repeater, 2 from the extension)

Expected outcome:

• one entry in the extension logs tab, displaying "No response to show" for the unmodified request
• one exchange in Logger++ (from the extension)

Possible workaround: I could use "Repeat Request" from the extension contextual menu as a work-around (I tried, no extra requests are sent). Only problem: I can't map this action to a shortcut unlike Repeater's Send button. Efficiency--

And thanks for the extension!

Hello,

when reviewing results, I like to expand the diff view in order to maximise visible information. Currently, the expanded view doesn't allow to switch between sessions. So I have to collapse the view, switch to the new context, then re-enable the expanded view. Distracting and time-consuming...

I'd like to have a button, visible only in expanded view, where I can switch from ORIGINAL/SESSION1 to ORIGINAL/SESSION2 or ORIGINAL/SESSION3. Would that make sense?

In an ideal world, this action (switching to another pair) would also be associated to Left / Right when the logs table is focused (I'm not even sure that's possible).

Thanks for the extension, the more I dig in the more I appreciate it!

Hello!

The following response:

HTTP/2 302 Found
Vary: Origin
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: Set-Cookie
Strict-Transport-Security: max-age=31536000;includeSubDomains;preload
X-Content-Type-Options: nosniff
X-Xss-Protection: 1; mode=block
Set-Cookie: xsrf-token=aa7b0494-9f22-XXX; Path=/new; Secure; SameSite=None
X-Frame-Options: SAMEORIGIN
Location: /REDACTED
Content-Length: 0
Date: Fri, 04 Mar 2022 16:21:17 GMT

Is not being picked up by the tool. Could this be due to the fact that there's a Set-Cookie value before this?

EDIT: My session looks like this:

Hello,

Hope you are well and thanks for your awesome plugin.

While testing with it recently I have noticed that although the first request is made using HTTP/2 protocol and its successful, the repeated tampered request with the different JWT auth session fails with the following return message:

HTTP/1.1 505 HTTP Version Not Supported

Seems like the extension sends the request using only HTTP/1.1?

Could you please have a look?
Hope its an easy fix.

Thanks! :)

Hi!

Many times one telltale sign of a authorization issue is when the response length difference from request A and request B is the same (or very similar). This applies when the server responds 200 OK and only differs in the actual response (e.g. json output).

The suggestion is to add a new response length difference column on the main table:

This would be super helpful!
To increment this feature and to distinguish from other tools out there, I would allow the ability to set a "offset" of what is tolerable as vulnerable or not. e.g., an offset of 10 bytes means that if the response length difference was between -10 < X < +10 would still be considered an issue.

Thanks!

Hi! Sometimes it would be very useful if we could send an item to the Analyzer even if it is stopped. Basically the context menu from Proxy is already there, however we can only send it when the Analyzer is running; which sort of makes sense. However, if there is a session configured, maybe we could send that particular request - it would be processed by the extension, but if you continue the browsing the analyzer would still be paused.

Does this make sense? Would make easier some flows, e.g. I often only want to test one request from time to time and this way I can send it directly, otherwise I have to go to the extension tab, start it, switch to proxy, send it, switch to extension again and then stop the analyzer 😬

Hi, during the first use of your nice tool I got problems with a web app using HTTP/2. The modified response always returned an HTTP not supported error. Replaying the same request in Repeater didn't give that error message.

When I disabled HTTP/2 in Project Options - HTTP your tool gave the correct results.

Thanks,

Erwin

Hi @simioni87 !

One thing that happens very frequently when doing access control testing is testing the same URLs over and over again. It would be super helpful if the extension supported a very simple URL de duplication feature; so, if ON, a request that has already been processed by Auth Analyzer (e.g. it's already on the results table) would be ignored.

Even a very basic support of this - e.g. really just comparing a GET request if it's exactly the same (not taking in consideration ?parameters for example) would be a huge help.

Thanks!

Using 1.1.13 and have configured a CSRF match which is working fine as can see the value being populated in the header i've specified.

The problem is its not replacing the Parameter found in the following Multipart request body. Not shown in the image above is that its just a POST request.

Am i missing something or should the _csrf be replaced with my value ?
thanks

default setting ，it exclude .js

but also test .js

Hello,

Is it possible to add the functionnality to filter on request body (contains or not contains) and response body (contains or not contains) ?

I think it could be very useful.

If you try to export table data which contains at least one dropped request, it ends with an error and HTML/XML file is not created.

Export as HTML - Stacktrace:

java.lang.NullPointerException: Response cannot be null
	at burp.bp.analyzeResponse(Unknown Source)
	at burp.cyn.analyzeResponse(Unknown Source)
	at com.protect7.authanalyzer.util.DataExporter.createHTML(DataExporter.java:136)
	at com.protect7.authanalyzer.gui.dialog.DataExportDialog.<init>(DataExportDialog.java:113)
	at com.protect7.authanalyzer.gui.main.CenterPanel$1.run(CenterPanel.java:132)
	at java.base/java.lang.Thread.run(Thread.java:831)

Export as XML - Stacktrace:

java.lang.NullPointerException: Response cannot be null
	at burp.bp.analyzeResponse(Unknown Source)
	at burp.cyn.analyzeResponse(Unknown Source)
	at com.protect7.authanalyzer.util.DataExporter.createXML(DataExporter.java:46)
	at com.protect7.authanalyzer.gui.dialog.DataExportDialog.<init>(DataExportDialog.java:117)
	at com.protect7.authanalyzer.gui.main.CenterPanel$1.run(CenterPanel.java:132)
	at java.base/java.lang.Thread.run(Thread.java:831)

The issue is caused by an attempt to process empty response (as the original request has been dropped).
Could you fix that please?

Thank you,
Daniel

I'm using the bapp store auth analyzer. I just mentioned some header names to remove and made sure the exclude http method option was unchecked, with no other tweaking. Auth analyzer is removing the headers but switching the methods to OPTIONS in every request. How do I make it not switch the method?

I am testing an application that is using a session-id provided in a GET parameter (Yeah, should not be used anyway but oh well.. )

I tried to setup a session that should only replace this one URL parameter with a static value (the session of the low-priv user).
I can browse the app but the extension does not seem to replace the URL parameter.

Above is what we intially setup.

Following are the orig. and the request that should have been edited.

The request, where the session-id should have been replaced with the low priv. user's id

What am I doing wrong or is this some weird burp issue ?

Hi @simioni87!

First of all thank you for this extension - it's really well done. I'm trying to use it for my to day operations but came across a problem replacing path values.

Say I have a request to :
GET /api/v1/user/12345/details
and want to replace it with:
GET /api/v1/user/admin/details

For this to work I was trying to use the static value replacement, e.g.:

This should work right? However, it's turning it into:

(that is GET /api/v1/smart/users/12345/admin/1.1)

Maybe this is a bug or am I doing something wrong?

Thanks!

Hi there,

Thank you for this awesome tool!

It's has been very useful to me.

Just wonder if you could add in a feature where I could export table data to a file?
And subsequently import that file containing the table data into burp to view table data within auth_analyzer tab again?

I feel that would be very useful.

Thank you!

Further to my previous ticket for an authentication matrix, I came up with this new idea. How about being able to set the current User context, let me try to explain.

Let's say I have the following user roles:

• Admin
• Operator
• User

The process would be the following:

1. I configure the extension with the relevant users and their association JWT token/session cookie
2. I manually craw the application as the Admin having access to endpoints and feature limited to this role
3. I do the same with the Operator
4. I do the same with the User

When crawling under the user roles listed above, there should be an option in the UI like a checkbox to select the current user roles for intercepted requests, this would cause the relevant column in the matrix table to be set to something like N/A or Select Context. This would create a compIete matrix of all available endpoints/features and the access rights of each configured users.

Exporting this as a CSV table and putting it in a pentest report would add a lot of value to customers. Also, this option would be amazing and simplify privileges escalations checks.

Please let me know what you think of this feature.

Note: In this case there will be no need for the drop original request button as the original request will be the one associated with the selected user context.

I'm testing an API which uses UUIDs in the URL, which I'm replacing. However, if the URL ends with a parameter without a trailing /, the request gets corrupted. For example:

Original request:

GET /api/account/52983d28-c02c-4e93-9930-d099bc35e795/goal/44c74981-77b3-4bb6-bb3d-183917c6b21d HTTP/1.1
Host: ...

Using Auth Analyzer to replace the account and goal parameters generates this request:

GET /api/account/219e18eb-782b-4d9c-b820-c2e9d385e86b/goal/4763ae23-8c4c-4313-9ed1-2040755d27b6/1.1
Host: ...

It is splitting the parameter up to the / in HTTP/1.1, instead of breaking at the preceding space.

When you working with the DELETE/PUT method to delete/update somethings, but if the original sent first, the record is gone so the edited request will fail. It would be nice if auth_analyzer have this option :D

I often find myself in situations where I want to replace a string in some part of request which has no parameter. It'd be great to have such a feature where you can have the request in separate parts(i.e the first line, all the headers, body) as strings and regex match replace them without relying on parameters.

P.S AutoRepeater also had such features which are currently dead.

First of all amazing plugin! Thank you for the work.

Secondly, I noted that when exporting the data to an HTML or XML document, it is not possible to select and export the "Comment" column. This would be really useful as it could add additional information for the pentester when parsing the data from the file.

I am prompted with the following error when trying to open the XML table in Excel:

Can you add the option:

1. To add a list of hosts/domains to pass through auth_analyzer. For example, I may be playing with API endpoints in like 5 domains and the table gets populated with data from domains I'm not testing.

2. Include the option to send the request a selected number of times. for example, i may want to send each request at most two times then to repeater.

Hi simioni87,

I have some test cases where I want a specific parameter to be replaced by a null value.

I tried setting it as the following:

param(Static Value)
Value:

but the request body(in jSON) becomes:

{
"param": ""
}

I hope you can also introduce another option called Null as Parameter Value so that the output becomes:

{
"param": null
}

Thank you so much for this wonderful Burp extension!

Hi there,

Currently (at least with the latest app available in Burp App Store) two 302 responses will be considered and shown as "SAME" in the result tab.

During my testing, I often see the case where two requests will receive 302, but for different reasons:

• the original request, for example to modify a profile page, will receive a 302 for the user to go back to the profile page.
• the other, modifed request will not be authorized but it will receive a 302 to the login page.

These pairs of requests/responses will appear in the result tab as "SAME". Ideally, an additional filter should be implemented to look at the "Location" header content. If these headers are different, the responses should be shown as "SIMILAR" or "DIFFERENT" but not "SAME".

Amazing work by the way, I really like your extension ! Thanks a lot !

Cheers,

A.

When testing for multiple user roles, there are usually distinctive features set available to each role and we (as pentester) usually want to test each individual role.

To illustrate what I suggest let's say we have three (3) distinct roles:

• Admin
• Doctor
• Client

A thorough test would be to set the tokens for each role and then start manually interacting with the application.

In this case three (3) different, left panel view (request and bypass) should be generated as we would want to test as an admin, can doctors and clients repeat the request, then we want to test the application as a Doctor and check if Admins and Clients can repeat the requests.

In short what we want is a matrix.

Sorry if I have not been super clear, happy to elaborate on this if needed.

Kind regards,
Alex

Hi simioni87,

First of all, thank you for this awesome tool!

I've been using your tool for a while and I just got some problem setting the header's value to null (blank).

I have this header called X-token, I want this header to remain on the request but with a blank value.

I tried the following setup

X-token: �token[blank]�

token(Remove: true)
Value: null

But on the modified request, it is always converted to

X-token: blank

I also tried setting it up as

X-token: //no parameter

X-token: �token[]� //no character in-between []

X-token: �token[ ]� //whitespace  in-between[]

X-token: �token[blank]�

token(Remove: false, Extraction: Static Value, Value: )
Value: //whitespace value

But it all ended up using the X-token from the original request.

Can you help me with this, please?

Best regards,

What happen?
How do I solve it? Thanks

Hey , simioni87 , I can’t find the option to send to auth_analyzer on the logger, but I can find the option to send to other plugins. could you please add the functionality to receive requests from the logger? There's a scenario where can use other plugins to batch parse api docs like swagger-ui, insert default parameters, and then forward them in bulk to auth_analyzer for preliminary validation of unauthorized and privilege escalation requests.

Hi!
I want to replace a parameter value with a string containing a dollar sign "$". Auth Analyzer url encodes the dollar sign with "%24". In my case, the dollar sign is part of a password inside a JSON body, therefore the authentication fails due to the encoding.
It would be awesome to device in the parameter replacement options do enable/disable the url encoding :)

Enable the export feature and remove duplicates of all endpoints. Would love to see that feature.

Hi @simioni87

Super extension, just a small suggestion would be to make the request/response view (right panel) less visually heavy. This could be done by using a hierarchy, top level would be request and response and when selecting one of those two options then the different user roles request/response would be displayed.

Also, you should have a look at the Autorize extension which use an expand/collapse view. Also, with the latest version of Burp and the split panel there could be more visually pleasing alternatives to my suggestion. Other than that super work, will keep opening tickets if I can think of other improvements.

Best regards,
Alex

EDIT: This is what I mean by simplifying the view.

The features allowing to import from / export to JSON files seem to have disappear (tested on v1.1.13 from December 2022). Am I missing a new button or menu?

Hello Simioni87,nice to meet u !!!
I have used auth_analyzer for a long time and it is really a great burp extension for pentersters ! ! ! But i have a problem that why not add the "Parameter Addition" function because u have realized the function of "Parameter Replacement". There are sevel scene for this addition function,such as hidden debug mode,for example some developper like to add "debug=1" in request(url post-param json-param etc) when write code but delete it in frontend,but the debug mode still exist and sometime it may cause some problem. In this scene, auth-analyzer can't add Parameter when origin request is not existed a parameter named "debug" so i have to add it in processhttpmessage before auth-analyzer's code. Perhaps u could think about to add this function hahahaha. it is really happy to use your auth_analyzer ^=^