Autorize

Autorize is an open-source automatic authorization and authentication enforcement detection extension for Burp Suite.
It is designed to assist application security engineers and penetration testers in identifying authorization bypasses and authentication weaknesses in web applications—at scale and with minimal manual effort.

Autorize passively monitors traffic generated by a high-privileged user, automatically replays requests using low-privileged or unauthenticated contexts, and analyzes the server responses to determine whether access controls are properly enforced.

The extension is written in Python by Barak Tawily, an application security researcher and practitioner.

• Automatic authorization enforcement testing
• Automatic authentication enforcement testing
• Transparent request modification and replay
• Configurable enforcement detection (content, headers, regex, length)
• Support for:
  • Cookie-based authentication
  • Authorization headers (e.g., Bearer tokens)
• Seamless integration with:
  • Proxy traffic
  • Burp Repeater
• Flexible interception filtering (scope, whitelist, blacklist, regex)
• Visual enforcement status indicators for rapid triage

• Detecting IDORs and broken access control issues
• Verifying role separation (admin vs. user)
• Identifying endpoints missing authentication
• Validating backend authorization logic consistency
• Reducing manual authorization testing overhead

Autorize is especially effective during authenticated testing, where traditional crawling and scanning tools fall short.

• Burp Suite (Community or Professional)
• Jython Standalone JAR

1. Download Burp Suite
   https://portswigger.net/burp/download.html

2. Download Jython Standalone
   https://www.jython.org/download.html

3. Configure Jython in Burp

   • Burp → Extender → Options
   • Python Environment → Select File
   • Choose the Jython standalone JAR

4. Install Autorize

   • Recommended: Install directly from the BApp Store
   • Manual installation:

     git clone https://github.com/Quitten/Autorize.git

     • Burp → Extender → Extensions → Add
     • Select Autorize.py

5. Verify installation

   • A new Autorize tab should appear in Burp

1. Open the Autorize tab after installation.

2. Navigate to Autorize → Configuration.

3. Insert a low-privileged user authorization header:

   • Cookie
   • Authorization header (e.g., Bearer token)

   Note
   Headers defined here will be replaced if already present or added if missing.

4. Optional settings:

   • Check unauthenticated
     • Disable if authentication testing is not required
   • Intercept requests from Repeater
     • Enables testing of manually crafted requests

5. Click “Intercept is off” to start interception.

6. Configure your browser to proxy traffic through Burp.

7. Browse the application as a high-privileged user.

8. Observe results in the Autorize table.

9. Select any entry to inspect:

   • Original request/response
   • Modified (low-privileged) request/response
   • Unauthenticated request/response

Autorize assigns one of the following statuses to each tested endpoint:

Authorization or authentication was not enforced.

Access controls were properly enforced.

Autorize could not reliably determine enforcement and requires manual fingerprint configuration.

When enforcement cannot be automatically determined, you can configure Enforcement Detectors.

There are two detector categories:

• Low-privileged enforcement
• Unauthenticated enforcement

• Response body content
  • Literal string
  • Regular expression
• Response headers
• Content length
• Full response inspection

If a modified request returns a response containing:

You are not authorized to perform this action

Add this string (or a regex) as a fingerprint in the enforcement detector. Autorize will then automatically recognize authorization enforcement for similar responses.

Interception filters control which requests are analyzed by Autorize, helping reduce noise and improve performance.

• Burp Scope
• Whitelist
• Blacklist
• Regular expressions

Autorize includes default filters to exclude static assets such as images and scripts.

Example configuration:

• Autorize relies on response comparison heuristics and fingerprints—false positives or false negatives are possible.
• Complex authorization logic may require manual detector tuning.

Contributions are welcome.
Feel free to open issues, submit pull requests, or suggest improvements.

Barak Tawily
CTO @ Enso Security
Application Security Researcher – https://quitten.github.io/
Former Application Security Consultant @ AppSec Labs