AutorizePro is a Burp Suite extension designed to automate the detection of authorization vulnerabilities, commonly found in web applications. It targets security professionals and bug bounty hunters by significantly reducing false positives and increasing the efficiency of finding these critical flaws, especially in black-box testing scenarios.

How It Works

AutorizePro enhances traditional authorization testing by incorporating an optional AI analysis module. When AI is enabled, it analyzes requests based on configurable criteria (e.g., response status codes, JSON format, response length) to identify potential authorization bypasses. This AI-driven approach aims to overcome the limitations of rule-based automation, which often struggles with the diverse nature of API responses, thereby improving both detection accuracy and speed.

Quick Start & Requirements

• Installation: Requires Burp Suite and Jython standalone JAR. Configure Burp Suite's Extender -> Options -> Python Environment with the Jython JAR. Then, add AutorizePro.py via Extender -> Extensions -> Add (Python extension type).
• Prerequisites: Burp Suite, Jython 2.7.3 (tested version), Java 22 (tested Burp version).
• Configuration: Load low-privilege user credentials (e.g., Cookie, Authorization header), optionally disable "Check unauthenticated," and enable "Intercept requests from Repeater." AI analysis requires API keys for supported models (default: Tongyi Qianwen).
• Resources: AI analysis is triggered for specific conditions (status code equality, JSON response, 50-6000 byte response length) to manage costs.

Highlighted Details

• Reduces false positives from 99% to 5% with AI analysis.
• Displays original, bypassed, and unauthorized requests side-by-side for easy comparison.
• Supports customizable configurations for filters, replacement rules, and report export.
• Integrates with multiple large language models for AI analysis.

Maintenance & Community

• Actively developed with weekly updates and encourages Stars for tracking.
• Open to bug feedback and feature suggestions via provided links.
• Welcomes Pull Requests.
• WeChat public account available for security sharing.
• Based on the original Autorize plugin by Barak Tawily.

Licensing & Compatibility

• Custom license with a strong disclaimer.
• Prohibits unauthorized penetration testing and redistribution of modified versions for unauthorized testing.
• Users must ensure compliance with local laws and obtain proper authorization.
• Use implies acceptance of the terms, including limitations and disclaimers.

Limitations & Caveats

• The "Is enforced???" status indicates the plugin cannot determine enforcement and may require further configuration of enforcement detectors or AI analysis.
• Users are strongly advised to configure Interception Filters to target specific sites to prevent cookie leakage and unnecessary AI cost consumption.