[The Burp SessionAuth] Extension for Detection of Possible Privilege escalation vulnerabilities

Normally a web application should identify a logged in user by data which is stored on the server side in some kind of session storage. However, in web application audits someone can often observe that internal user identifiers are transmitted in HTTP requests as parameters or cookies. Applications which trust identity information provided by the client can be vulnerable to privilege escalation attacks. Finding all occurrences of identity data transmissions can be quite straining, especially if this information is sent in different parameters, among other information or only in particular requests.

The motivation behind the Burp SessionAuth extension was to support the web application auditor in finding such cases of privilege escalation vulnerabilities. The idea is, that the auditor provides some information, internal identifiers and strings which identify different users (e.g. his/her real name) or content. The extension performs the following tasks:

  • Monitoring of all requests for occurrences of the given identifiers. Such requests are typical candidates for privilege escalation vulnerabilities. Even if a web application doesn’t seems to be vulnerable in one part, it can still be vulnerable in other ones.
  • Preparing an Intruder configuration on request of the user and implementation of a Intruder payload generator which delivers the user identifiers.
  • Actively scan a suspicious request and try to determine vulnerabilities automatically by some heuristics.

Please be aware that this piece of software is still very experimental!

Disqus Comments