Skip to content
/ AuthInspector Public

Automated authorization checks with multiple headers tool written in golang

License

AGPL-3.0 license
8 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

karma9874/AuthInspector

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

18 Commits
.github
.github
 
 
burp
burp
 
 
cmdOptions
cmdOptions
 
 
config
config
 
 
csv
csv
 
 
http
http
 
 
static
static
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 

Repository files navigation

AuthInspector

Apache-2.0 License Twitter Follow GitHub followers

AuthInspector is a Golang tool designed for hassle-free authorization and authentication checks. By extracting request details from BurpSuite export, it performs thorough authorization checks based on user-provided headers for each request with Goroutines in place for speedy processing, and provides results in a simple CSV file with all details.

Work flow

Installation

Easy Installation: You can download the prebuilt binary from the releases page.

Go Install: go install github.com/karma9874/AuthInspector@latest

Go Build: go get && go build

Usage

  1. Begin by capturing web requests using the high-level account.
  2. Once your website browsing is complete, export the requests by navigating to Target -> Site map -> selecting the URL -> Right Click and Save Selected Item.
  3. Create an init.yaml file with the following configurations:
    • source: Specify the name of the exported file from the previous step.
    • auth: Define the header responsible for authentication (e.g., Cookie, Authorization header, custom).
    • filterMimeType: Include requests containing the specified MIME type.
    • headers: Optionally provide global headers, influencing requests containing this header.

AuthInspector provides the following commands for customization:

-proxy    Set up a proxy for testing.
-respBody Include response body in the output
-reqBody  Include request body in the output.
-timeout  Set the timeout for requests.
-threads  Specify the number of concurrent threads.
-listmime Lists the available mimetypes from the burp exported file
-verbose  Verbose output

Running AuthInspector

AuthInspector.exe -respBody -reqBody

Config Template

# Burp XML file name to be used in the authentication testing process.
source: example.xml

# Headers with authentication information.
auth:
  - header_key: header_value
  - header_key: header_value
  - dummy_header: dummy_value  # Do not remove this header (use to check unauthenticated requests)

# Mime types(case sensitive, for more details list mime type check -listmime mode). The tool will focus on checking authentication issues only on specified mime types.
filterMimeTypes:
  - JSON
  - XML

# Global headers to be included in all requests.
headers:
  - User-Agent: "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36"
  - API-KEY: some_key

About

Automated authorization checks with multiple headers tool written in golang

Topics

golang authorization bug-bounty privilege-escalation security-scanner security-tools security-testing

Resources

Readme

License

AGPL-3.0 license
Activity

Stars

8 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases 1

v1.0.0 Latest
Dec 25, 2023

Packages

No packages published

Languages