Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

How I can automate OWASP A5: Broken Access Control testing with Burp Pro?

Valentyn | Last updated: Jan 08, 2021 03:23PM UTC

We are trying to cover all OWASP TOP 10 issues, and right now I investigating the possibility to automate Broken Access Control testing. Is there any possibility to do it with Burp Pro?

Michelle, PortSwigger Agent | Last updated: Jan 11, 2021 09:37AM UTC

Thanks for your message. We do have a couple of articles on testing OWASP Top 10 issues and testing access controls: https://portswigger.net/support/using-burp-to-test-for-the-owasp-top-ten https://portswigger.net/support/using-burp-to-test-access-controls You mention that you are trying to automate this though, can you tell us a bit more about the steps you are trying to automate, please?

Valentyn | Last updated: Jan 12, 2021 10:01AM UTC

I saw those articles, but what are we truly want to implement is a fully automated testing of those issues. I mean auditing requests by different users and idor testing. We have a large application and we can't test it manually, plus we are doing a lot of changes so we want to test it continuously. Any thoughts?

Michelle, PortSwigger Agent | Last updated: Jan 12, 2021 12:00PM UTC

Have you had a look at this extension? It might help with some of your tests: https://portswigger.net/bappstore/f9bbac8c4acf4aefa4d7dc92a991af2f

Valentyn | Last updated: Jan 12, 2021 12:57PM UTC

It would be a good solution but it works through the proxy and browser thus is a manually. I expect it to work like an audit based on a sitemap. Is there something similar to this: https://portswigger.net/bappstore/30d8ee9f40c041b0bfec67441aad158e? I would use this extension, but I getting errors with some requests.

Michelle, PortSwigger Agent | Last updated: Jan 13, 2021 10:52AM UTC