While many threats to web applications such as SQLi and XSS can be mitigated through generic framework solutions, enforcing authorization remains a complex task for developers. Proper enforcement of access controls requires unique design considerations for each application and can be difficult to get right. Detecting vulnerabilities in authorization can be just as challenging, as these issues are generally difficult to map and test for. Due to the complexity in an application's architecture, pen-testers must frequently use their limited time and resources developing custom tools specific to a single application's authorization model.
In this presentation we take you through the process of designing a tool capable of simplifying this testing methodology to reduce the redundancy between testing unique targets. We will discuss some of the common authorization insecurity patterns seen in web applications and services, consider the common challenges faced by pen-testers when testing for these issues, and present effective methods for mapping the intricacies of these models. Additionally, we will introduce AuthMatrix, a new extension to the Burp Suite testing utility designed to simplify authorization test cases in a clear and reproducible manner.