Burp Suite User Forum

Login to post

How I can automate OWASP A5: Broken Access Control testing with Burp Pro?

Valentyn | Last updated: Jan 08, 2021 03:23PM UTC

We are trying to cover all OWASP TOP 10 issues, and right now I investigating the possibility to automate Broken Access Control testing. Is there any possibility to do it with Burp Pro?

Michelle, PortSwigger Agent | Last updated: Jan 11, 2021 09:37AM UTC

Thanks for your message. We do have a couple of articles on testing OWASP Top 10 issues and testing access controls: https://portswigger.net/support/using-burp-to-test-for-the-owasp-top-ten https://portswigger.net/support/using-burp-to-test-access-controls You mention that you are trying to automate this though, can you tell us a bit more about the steps you are trying to automate, please?

Valentyn | Last updated: Jan 12, 2021 10:01AM UTC

I saw those articles, but what are we truly want to implement is a fully automated testing of those issues. I mean auditing requests by different users and idor testing. We have a large application and we can't test it manually, plus we are doing a lot of changes so we want to test it continuously. Any thoughts?

Michelle, PortSwigger Agent | Last updated: Jan 12, 2021 12:00PM UTC

Have you had a look at this extension? It might help with some of your tests: https://portswigger.net/bappstore/f9bbac8c4acf4aefa4d7dc92a991af2f

Valentyn | Last updated: Jan 12, 2021 12:57PM UTC

It would be a good solution but it works through the proxy and browser thus is a manually. I expect it to work like an audit based on a sitemap. Is there something similar to this: https://portswigger.net/bappstore/30d8ee9f40c041b0bfec67441aad158e? I would use this extension, but I getting errors with some requests.

Michelle, PortSwigger Agent | Last updated: Jan 13, 2021 10:52AM UTC

If you are getting errors with an extension then you can report these to the author of the extension. You can also create your own extensions to use, you're not restricted to the ones that are in the BApp Store. If you are interested in creating your own extension you might find these links useful: https://portswigger.net/burp/extender/api/ https://portswigger.net/burp/extender https://portswigger.net/burp/extender/writing-your-first-burp-suite-extension

You need to Log in to post a reply. Or register here, for free.