The idea for AuthMatrix came in an attempt to solve a huge problem in web security testing. Unlike many other classes of vulnerabilities common in webapps, authorization bugs are hard to generalize between applications and because of that, the process for validating all authz cases can be time consuming and painstakingly manual. Not only this, but once the testing is completed, it is rarely possible to quickly repeat the test or verify the tester's results with any level of assurance.
As I describe during my talk given at Appsec California 2016 introducing AuthMatrix, the current manual process for testing authorization in web apps and web services can look a bit like this.
- Enumerate roles and map entire application's functionality
- Authenticate all necessary users
- Test every combination of user and request:
- Run request
- Observe response
- Determine if behavior is correct for that user's privilege level
- Record results to a notes file
There are several major choke points to note with this testing methodology. The first being that the majority of this process is done manually, with only a checkbox in a notes doc to verify the results. Additionally, the testing process described in the last item above can essentially be viewed as a LARGE manual for-loop, where initiating requests, calculating results, and recording the output is all done by hand. This combination introduces a significant number of opportunities for human error to occur with no ability to verify the tests were performed correctly. This, unfortunately, can often result in critical authorization vulnerabilities being missed, even by the most skilled and diligent pentesters.
With AuthMatrix, we restructure this process so that defining your system's characteristics are front-loaded and the application takes care of all the testing and validation. Pentesters define a set of roles, users, and requests that sufficiently cover their target application's capabilities and assemble tables similar to those used in many threat modeling techniques. These tables can be verified at any stage of the testing process and saved to disk for later regression testing.
The primary goal of the project was to create a tool that made this process easier and more efficient for the tester. No point in making an App that no one will use. AuthMatrix achieves a high level of usability with a simple UI and provides an easy to read interface indicating the results of the test.
With AuthMatrix, we've managed to unwind the manual for-loop in the methodology above so that the risk of missed vulnerabilities due to complexity and human error is significantly reduced.
So, after a warm reception at the Appsec California 2016 conference, I'm happy to say that the extension is now fully available to the public. AuthMatrix can be found through the Security Innovation public Github page or can simply be installed directly in Burp for free in the BApp Store.
Give it a try and let me know what you think.