At Security Innovation, our tech-enabled services leverage dozens of internally developed scanners, parsers, scripts and other tools to make our software security testing more efficient. However, authorization testing remained fairly labor-intensive and tedious: the creation of user roles, mapping each role to the functions and data to which they’re intended to have access, and then verifying that each role is properly constrained. This was the genesis of creating a tool that solved this primitive "authorization" problem in security testing.
The Problem: Authorization testing is hard to get right and prone to human error.
Finding authorization problems in web applications and web services is difficult because unlike many other vulnerabilities classes, authorization defects are typically unique for each application. Test cases are tedious to develop and it’s tough to test every user scenario thoroughly for each test run. It’s a very manual process to capture all the roles, tasks, access, etc. and most people use spreadsheets to manage this. Additionally, the process for validating all authorization cases is time consuming and painstakingly manual, and it is rarely possible to quickly repeat the test or verify the tester's results with any level of assurance.
The current way we test authorization in web applications and web services is as follows:
- Enumerate roles
- Map entire application's functionality
- Authenticate all necessary users
- Test every combination of user and request:
- Run request
- Observe response
- Determine if behavior is correct for that user's privilege level
- Record results to a notes file
There are several major challenges and choke points to note with this testing methodology, which largely revolve around opportunities for human error. The majority of this process is done manually, with only a checkbox in a notes doc to verify the results. The testing process can essentially be described as a large manual FOR-loop, where initiating requests, calculating results, and recording the output is all done by hand. This combination introduces a significant number of opportunities for human error to occur with no ability to verify that tests were performed correctly. This, unfortunately, can often result in critical authorization vulnerabilities being missed, even by the most skilled and diligent pen testers.
The fact that user-based test creation is labor intensive is challenging enough. However, when you layer on top of that there is no generic testing conditions and test steps are difficult to repeat (for regression testing), and you’ve got an important set of test cases that are hard to automate. Many testers create custom scripts that are usually thrown away after each application test.
The Solution: AuthMatrix
AuthMatrix helps solve this problem in web security testing. The primary goal of the project was to create a tool that made the process of authorization testing easier and more efficient. With AuthMatrix, we've managed to remove the aforementioned FOR-loop and mitigate the risk of missed vulnerabilities due to the complexity and human error usually found in authorization testing.
AuthMatrix is an extension to the Burp Suite testing utility designed to improve the process of verifying authorization protections in web applications and web services. This helps penetration testers:
With AuthMatrix, the process of defining your system's characteristics are front-loaded and the application takes care of all the testing and validation. Testers simply define a set of roles, users, and requests that sufficiently cover their target application's capabilities and assemble tables similar to those used in many threat modeling techniques. These tables can be verified at any stage of the testing process and saved for later automated regression testing.
AuthMatrix automates this process and integrates with Burp Suite to actually execute the test cases you create. In the verification phase, you can edit variables, e.g., session ID, on the fly to streamline a variety of test cases associated with authorization. Because AuthMatrix is stateful, you can turn on/off user roles to test in any given test run by simply checking a box. AuthMatrix achieves a high level of usability with a simple UI and an easy to navigate interface indicating test results.
AuthMatrix can be found through the Security Innovation public Github page or can simply be installed directly in Burp for free in the BApp Store.
