Shulou(Shulou.com)05/31 Report--

Editor to share with you what kind of tool AuthMatrix is. I hope you will get something after reading this article. Let's discuss it together.

AuthMatrix

AuthMatrix is a plug-in for the Burp Suite tool, which can help researchers to securely test the authentication mechanism of Web applications and Web services. With the help of AuthMatrix, testers can focus on the user tables, permissions, roles, and requests of specific applications, and the structure of these database tables and network requests can also be directly mapped to the access control matrix commonly used in various threat modeling methods.

Once the tool is installed and configured, the tester can start the test task directly with a mouse click. The tool will display the output of the test in a colored interface and mark the authentication and authorization vulnerabilities in the target system.

Tool installation

AuthMatrix can be installed directly through Burp Suite BApp Store. In Burp Suite, select the Extender tab, then select BApp Store, select AuthMatrix, and click install.

If researchers want to install manually, they can clone the project source code locally using the following command:

Next, open Burp Suite, select the Extender tab, click the "Add" button, change the extension type to Python, and then select the AuthMatrix Python file:

Considerations for git clone https://github.com/SecurityInnovation/AuthMatrix.git

For the normal operation of AuthMatrix, you need to configure Burp Suite to use Jython. For specific configuration methods, please refer to this [document]. Ensure that the version of Jython used is greater than or equal to v2.7.0 to ensure tool compatibility.

Tool use

Create user accounts with various privileged roles in the target application, typically User, Admin, or Anonymous anonymous accounts.

Create a sufficient number of users to correspond to the various role permissions within the application, and then group users by checking the box. The "single user" role contains only one user, and you can also delete users in the group.

Generate a session token for each user in the Repeater tab and fill in the token in the appropriate column of the Users table. Cookie can be sent directly by right-clicking the user in the Repeater interface. AuthMatrix can intelligently parse the string data in Cookie and populate it into the request. The cookie field here is optional, and if the target is using HTTP Header, you can also click the "New Header" button to add Header.

In other tabs of Burp Suite, you can also right-click to select "send to AuthMatrix".

In the request table of AuthMatrix, you can select the authentication option that needs to send the HTTP request by checking the box.

Define the response regular according to the response behavior of the request, and judge whether the authentication is successful or not. Common regular expressions contain the corresponding Header of the HTTP, and success information and other variables will be included in the body.

Click the "Run" button at the bottom of the tool, you can send requests in batches directly, and then observe the test results through the tool interface. Green content indicates no vulnerabilities, red indicates that there may be vulnerabilities in the request, and blue indicates that there may be false positives in the results.

Tool demonstration screenshot AuthMatrix sample configuration false positive detection (invalid session token) CSRF detection cross-user resource test user authentication Failure Regex mode configuration sample read this article, I believe you have a certain understanding of "what a tool AuthMatrix is", if you want to know more related knowledge, welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.