Testing for broken access control is often a laborious and boring process. Few tools are available and Burp Suite Authorize is the most common. I wanted to build something with a bit more flexibility to cover for additional use cases such as
- multiple users: why not test multiple roles of multiple tenants at once?
- sending a request for a different user first: necessary to test access control on deletion
- flexibility: configuration and possible to rewrite the code for your use case
I built a tool using Fiddler script, free for anyone to use. It duplicates requests while replacing authentication tokens and does a simple comparison on the result. Color coding based on response comparison rules makes it easy to identify the responses that need further inspection. All the information about requests and responses is available as usual in Fiddler.
To get started you need to three things
- Copy the script code. If you don't have or want to preserve changes in your Fiddler script file, replace the file typically found in <Documents>/Fiddler2/Scripts/CustomRules.js. If you want to add the script the code, see instructions below.
- Create a config file. Name and path must match the eatConfig variable in the script.
- Customize the columns in the Fiddler request view.
Copy the script code
Script code can be found here. If you want to copy the relevant script into your existing script, follow the instructions below. The script expects your config file to be found at C:\\dev\\3AT.json, update the eatConfig variable if you want to change it.
Copy or create the config file
Create the config file at the location defined in the script, or use this file as a template.
{
"url_include": "example.com/api/"
"ignore_endings": [".js", ".css", ".json", ".jpg", ".png", ".jpeg", ".gif", ".ico", ".svg", ".woff2"],
"ignore_contains": ["/static/", "/configuration/"],
"ok_response": ['{"hasError":true,"statusCode":403}'],
"tokens": ["Authorization"],
"ignore_304": true,
"ignore_cache": true,
"hide_original_request": false,
"hide_other_requests": false,
"duplicate_after_response": true,
"users_file": "C:\\dev\\users.json"
}
- url_include: a fragment of the URL that must be present
- ignore_endings, ignore_contains: exclusion rules for requests that are not interesting
- ok_response: a list of responses body strings to flag the response as ok (not an authorization bypass) if it is found
- tokens: the authentication token needed. Works with headers such as Cookie, Authorization, X-CSRF-Token. Only specify the ones you need
- ignore_304: don't duplicate requests with a 304 response
- ignore_cache: remove "If-None-Match" headers with ETag values
- hide_original_request: true if you only want to see the duplicated requests
- hide_other_requests: true if you want to filter out everything which is not duplicated
- duplicate_after_response: true if you want the best comparison analysis, false if you want to be the duplicated request to be sent first, useful in case you want to test authorization on delete
- users_file: path to the file containing users. File will be created if it doesn't exist. Simply delete the file to empty the list of users
Customize the columns
Harvest users
On the rules menu, select "Harvest authentication users". When a request with an unseen authentication token is processed, it will request a name for the user. Click cancel if you don't want to add it. Toggle this option off when all users have been harvested.
Start testing authorization
For every qualifying request, Fiddler will send additional requests for all the users you have defined. Color coding will help you identify suspects of broken access control.
No comments:
Post a Comment