Wednesday, January 31, 2018

AuthMatrix 0.8

I am happy to announce the release of the next iteration in AuthMatrix, our free extension to the Burp Suite platform for unwinding the loop of manual authorization testing. This release comes with several solutions for some long overdue feature requests. These new features are custom tailored to improve upon a tester's work-flow and will increase the variety of targets and authorization test cases supported by AuthMatrix.

AuthMatrix can be downloaded from Github or directly from the Burp Suite BApp Store.

 https://github.com/SecurityInnovation/AuthMatrix/

The following features have been added as part of AuthMatrix 0.8

Chain Dependencies

AuthMatrix 0.6 introduced the concept of chains as an elegant solution for moving data between requests. This feature came with the limitation that if you wanted your destination message to receive the updated data, you had to include the source message in your run set and move that message to a higher spot in the table so that it runs first.  In AuthMatrix 0.8, chain dependencies are automatically discovered and requests are run in the correct order necessary to execute the chain.


Chain Transformers

The chains table has also been updated to include a new feature.  Chain Transformers can be found in the final column and allow users to modify the source data before it is replaced into the destination request.

One use case for this might be when a source request produces an identifier after it succeeds and the destination request uses that identifier in its URL to check the status.  In this case, the tester can add a URL encode transformer to this chain in order to ensure the identifier is formatted correctly in the destination request.

Chain transformers can be stacked on top of each other to modify the data in whatever way is required by the application.  Supported transformers in AuthMatrix 0.8 include: Base64, URL, Hex, SHA1, SHA256, SHA512, and MD5.


User Ordering

In the same way that Requests can be dragged-and-dropped within the table to modify the run order, users can now be reordered as well. This is particularly useful when dealing with requests that modify that state of the target application.

For instance, say there is a DELETE request that only admins are authorized to run.  Now users can be sorted to guarantee that the Admin user runs the request last.  This way, if the asset is successfully deleted before the Admin run completes, the tester will be able to identify which unauthorized user was first able to run that request.

Disabling Requests, Users, and Chains

This long awaited feature allows testers to temporarily disable any request, user, or chain on their table using a right-click menu option.  This feature can be quite useful when constructing your AuthMatrix configuration for the first time, or when retesting a specific use case. Items can be enabled or disabled in mass by simply selecting all relevant rows in the table before right clicking the item.


Regex History

One of the most requested features for AuthMatrix was a simplified way fore configuring the success regexes of a request. With AuthMatrix 0.8, we have met this need with two updates: a regex history drop-down and a new right-click option for mass updates.

Now when a tester goes to modify the success regex of a request, they will have the option to either enter a new regex into a text box or select from a new drop-down menu.  This menu will show all previously entered regexes for speedy access and configuration.


Additionally, updating the regex of multiple requests is now as simple as selecting multiple requests within a table and right clicking the new option to update the regex.  Through the new pop-up menu, a tester can modify these values using the same drop-down interface present in the table.

Build Your Own State File

With the release of this version, we have fully documented the JSON format used to save state files produced by AuthMatrix.  Power users can now reference this documentation so that they can automate certain tasks if needed by directly editing state files.  Additionally, testers can now load partial state models that will only modify certain tables of the AuthMatrix configuration as provided. Please see our Github page for more information on the accepted JSON format.



Try it Today!

AuthMatrix continues to be the number 1 most used authorization extension in the bApp store and we look forward to continuously improving on its capabilities to help testers everywhere find vulnerabilities and secure their applications. Download it for yourself directly through the Burp Suite bApp Store or via our Github page.

https://github.com/SecurityInnovation/AuthMatrix/