Simplifying Authorization Testing in Burp Part 1

Capturing multiple sessions can be annoying

As anyone who works on appsec can probably tell you authorization testing is fundamental, but can be very time consuming or just plain annoying. There are some great tools out there to assist such as the Burp plugins Autorize and AuthAnalyzer, and these tools are awesome once setup.
 

I have found however, my frustrations come from maintaining multiple sessions, tracking changing session cookies, and just easily grabbing cookies from different sessions. We have a few options for making this process more simplistic that I wanted to share some tips on.

Using multiple profiles to separate traffic

 

Modern versions of Chrome and Firefox have the ability to create different profiles which are commonly used to have different sets of favorites, plugins, and history for various reasons. These features however also are beneficial to pentesters because we can leverage them to maintain completely separate sessions to an application while easily being able to switch between them.

 
Using profiles is how I originally started enhancing my authorization testing, and still works great especially in environments where you may not be able to freely install other tools such as working from a system provided by a client. I personally have not used Chrome for this as I prefer Firefox so I will share how to set this up in Firefox.
 
Creating profiles in Firefox is quite easy simply navigate to about:profiles and create as many new profiles as needed. Bear in mind that you will need to re-install any plugins you use on each additional profile, but I like this as it allows me to use a plugin like FoxyProxy which has specific configurations per profile.
 
I like to set my home page to the about:profiles just to make things simple when I launch my browser.
 
Once you have set your profiles up and launched them you have two separate, and fully featured, browsers to work from. I strongly recommend capturing the traffic on separate ports in Burp by establishing another listener to make it easy to differentiate between the two when reviewing your requests.
As I mentioned though I have a newer method now which I find works far better, and is a bit easier on your RAM if you are on a constrained system such as a laptop.
 

Containers are popular, let’s use those

Containerization is a growing trend everywhere, and that is no different for browsers. FireFox offers container tabs which do not require that we setup additional profiles, or even run fully separate browser instances.

From Mozilla’s documentation:

Container tabs are like normal tabs however the sites you visit will have access to a separate slice of the browser's storage. This means your site preferences, logged in sessions, and advertising tracking data won't carry over to the new container. Likewise, any browsing you do within the new container will not affect your logged in sessions, or tracking data of your other containers.

Opening a container tab is simple one can just right click and existing tab to “re-open in container”, or right click the new tab button and select a container profile to open in.

Containers can be modified at about:preferences#containers

While these containers are great, they do not give us the same flexibility to specify different listening proxies to help separate traffic out between them in Burp. Not to worry though there is a handy plugin that provides this separate and more.

 
Enter PwnFox
 
I recently discovered PwnFox, and ever since it has made my life so much easier using containerized tabs and quickly tracking the different sessions in Burp. You can get the Burp plugin and the FireFox addons here:
 
Once both are installed there is minimal configuration needed for PwnFox simply setting your Burp proxy in the settings, and checking the “Enabled” checkbox in the top right of the plugin menu. From here click the colored boxes to open colored tabs which will reflect the same color coding in your Burp history and you are ready to go.
 
 
Don’t forget to select “enabled” in the top right to proxy your traffic
 
Once setup your history will start being color coded and make quickly locating session cookies, or requests unique to one user a breeze.
 
I like to use distinct colors for admin sessions like red and similar colors for horizontal testing
 

Stay tuned for part 2!

 
Are you looking for a security assessment for your network or applications? Send us an email at info@mccormackcyber.com