Easy IDOR hunting with Autorize? (GIVEAWAY)

InsiderPhD

19 Jan 202223:57

Summary

TLDRIn this episode of Hacker Toolbox, the focus is on 'Autorize,' a free Burp extension designed for API security testing. It automates the process of swapping attacker and victim cookies to detect IDOR (Insecure Direct Object References) vulnerabilities, streamlining the testing of large APIs. The tutorial covers Autorize's installation, configuration, and practical use, including advanced features like interception filters and enforcement detection. The video also highlights a giveaway for bug bounty tools and swag, sponsored by Integrity, a bug bounty platform supporting the security community.

Takeaways

🛠️ The video introduces 'Autorize', a free Burp Suite extension that aids in API security testing by automatically swapping cookies to test for IDORs (Insecure Direct Object References).
🆓 'Autorize' is available for free and works with the community edition of Burp Suite, making it accessible without requiring a paid subscription.
🔄 The extension operates by sending requests with the victim's and attacker's cookies, comparing the responses to identify if security measures are enforced or bypassed.
🛡️ It is particularly useful for testing large APIs, which may have hundreds of endpoints, reducing the manual effort required in security assessments.
🎯 'Autorize' helps automate the process of testing each endpoint with different user accounts to find potential IDORs, streamlining what could be a very tedious process.
👥 The tool can test for two types of accounts but is limited in that it does not handle unauthenticated testing or complex permission hierarchies.
🔧 The video provides a step-by-step guide on how to install and configure 'Autorize' within Burp Suite, including setting up Jython and using the Burp App Store.
🎁 The video concludes with a giveaway sponsored by Integrity, offering bug bounty resources and swag, encouraging viewers to participate by commenting with their favorite bug bounty tool.
🏆 Integrity is highlighted as a growing bug bounty platform that supports the security community, offering opportunities for bug hunters to report vulnerabilities and earn rewards.
🔑 'Autorize' is created by Barack and available on GitHub and the PortSwigger App Store, emphasizing the collaborative nature of the security research community.

Q & A

What is Autorize and what does it do?
-Autorize is a free Burp extension that works on the community edition. It is used to find IDORs (Insecure Direct Object References) by automatically making additional requests with different cookies to compare responses and identify bypasses or enforcements.
How does Autorize help in testing APIs?
-Autorize is particularly useful for testing large APIs by automating the process of making requests with different user accounts to check for IDORs. It reduces the manual effort involved in testing each endpoint with different user permissions.
What are the limitations of Autorize?
-Autorize can only test two accounts and does not handle unauthenticated testing, which are its primary limitations. It also does not solve complex hierarchy testing or mobile app testing.
How can Autorize be installed in Burp Suite?
-To install Autorize, you need to download Jython and configure its location in Burp Suite's extender options. After that, you can install Autorize from the Burp Suite app store or GitHub.
What is the purpose of the 'intercept request from repeater' setting in Autorize?
-The 'intercept request from repeater' setting in Autorize ensures that every time a request is made using Burp's repeater, Autorize also sends a request with the attacker's cookie and one without cookies for unauthenticated testing.
How does Autorize help in reducing the manual effort in API testing?
-Autorize reduces manual effort by automatically making additional requests as you browse the website, testing for IDORs without the need to manually write and send requests for each test case.
What is the significance of the question mark symbol in Autorize's output?
-The question mark symbol in Autorize's output indicates that the tool is unsure about the enforcement status of a particular test. It suggests that further manual investigation is needed to confirm whether an IDOR exists.
How can Autorize be configured to focus on API requests?
-Autorize can be configured to focus on API requests by setting up interception filters to only process requests that contain 'api' in the URL or by modifying the enforcement detector to look for specific response patterns typical of APIs.
What are the advanced features of Autorize that can aid in practical bug hunting?
-Autorize's advanced features for practical bug hunting include the ability to set interception filters, modify the enforcement detector, use match and replace rules for testing different user IDs, and export findings for collaboration.
How does Autorize assist in identifying IDORs in a practical API testing scenario?
-In a practical API testing scenario, Autorize assists by automatically making requests with different user cookies and comparing responses to identify IDORs. It also allows for the modification of request methods and body content to test various scenarios and configurations.