{"id":13539487,"url":"https://github.com/quitten/autorize","last_synced_at":"2026-01-11T10:00:13.497Z","repository":{"id":27266515,"uuid":"30739183","full_name":"Quitten/Autorize","owner":"Quitten","description":"Automatic authorization enforcement detection extension for burp suite written in Jython developed by Barak Tawily in order to ease application security people work and allow them perform an automatic authorization tests","archived":false,"fork":false,"pushed_at":"2025-07-03T01:22:42.000Z","size":3162,"stargazers_count":1069,"open_issues_count":14,"forks_count":226,"subscribers_count":25,"default_branch":"master","last_synced_at":"2025-07-03T02:29:35.258Z","etag":null,"topics":["application-security","authorization","authorization-enforcement","burp-plugin","burpsuite","jython"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Quitten.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2015-02-13T03:47:50.000Z","updated_at":"2025-07-03T01:22:46.000Z","dependencies_parsed_at":"2023-02-12T10:30:52.726Z","dependency_job_id":"451ee941-7afa-47e3-b87d-bc9e71e05a63","html_url":"https://github.com/Quitten/Autorize","commit_stats":null,"previous_names":[],"tags_count":11,"template":false,"template_full_name":null,"purl":"pkg:github/Quitten/Autorize","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Quitten%2FAutorize","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Quitten%2FAutorize/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Quitten%2FAutorize/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Quitten%2FAutorize/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Quitten","download_url":"https://codeload.github.com/Quitten/Autorize/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Quitten%2FAutorize/sbom","scorecard":{"id":116237,"data":{"date":"2025-08-11","repo":{"name":"github.com/Quitten/Autorize","commit":"40ffcfb7e96a0462ea8ee62fcb4f76896a47df45"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3.2,"checks":[{"name":"Dangerous-Workflow","score":-1,"reason":"no workflows found","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Maintained","score":6,"reason":"8 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 6","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Code-Review","score":2,"reason":"Found 3/15 approved changesets -- score normalized to 2","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Token-Permissions","score":-1,"reason":"No tokens found","details":null,"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Pinned-Dependencies","score":-1,"reason":"no dependencies found","details":null,"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"License","score":0,"reason":"license file not detected","details":["Warn: project does not have a license file"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact 1.8 not signed: https://api.github.com/repos/Quitten/Autorize/releases/167446127","Warn: release artifact 1.8 does not have provenance: https://api.github.com/repos/Quitten/Autorize/releases/167446127"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 22 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-16T01:21:23.999Z","repository_id":27266515,"created_at":"2025-08-16T01:21:24.000Z","updated_at":"2025-08-16T01:21:24.000Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28299708,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-11T08:21:30.231Z","status":"ssl_error","status_checked_at":"2026-01-11T08:21:26.882Z","response_time":60,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["application-security","authorization","authorization-enforcement","burp-plugin","burpsuite","jython"],"created_at":"2024-08-01T09:01:26.572Z","updated_at":"2026-01-11T10:00:13.412Z","avatar_url":"https://github.com/Quitten.png","language":"Python","readme":"# Autorize\nAutorize is an automatic authorization enforcement detection extension for Burp Suite. It was written in Python by Barak Tawily, an application security expert. Autorize was designed to help security testers by performing automatic authorization tests. With the last release now Autorize also perform automatic authentication tests.\n\n![alt tag](https://raw.githubusercontent.com/Quitten/Autorize/master/Autorize.png)\n\n# Installation \n1.\tDownload Burp Suite (obviously): http://portswigger.net/burp/download.html\n2.\tDownload Jython standalone JAR: http://www.jython.org/download.html\n3.\tOpen burp -\u003e Extender -\u003e Options -\u003e Python Environment -\u003e Select File -\u003e Choose the Jython standalone JAR\n4.\tInstall Autorize from the BApp Store or follow these steps:\n5.\tDownload Autorize source code: `git clone git@github.com:Quitten/Autorize.git`\n6.\tOpen Burp -\u003e Extender -\u003e Extensions -\u003e Add -\u003e Choose Autorize.py file.\n7.\tSee the Autorize tab and enjoy automatic authorization detection :)\n\n\n# User Guide - How to use?\n1.\tAfter installation, the Autorize tab will be added to Burp.\n2.\tOpen the configuration tab (Autorize -\u003e Configuration).\n3.\tGet your low-privileged user authorization token header (Cookie / Authorization) and copy it into the textbox containing the text \"Insert injected header here\".\n**Note**: Headers inserted here will be replaced if present or added if not.\n4.  Uncheck \"Check unauthenticated\" if the authentication test is not required (request without any cookies, to check for authentication enforcement in addition to authorization enforcement with the cookies of low-privileged user)\n5.  Check \"Intercept requests from Repeater\" to also intercept the requests that are sent through the Repeater. \n6.\tClick on \"Intercept is off\" to start intercepting the traffic in order to allow Autorize to check for authorization enforcement.\n7.\tOpen a browser and configure the proxy settings so the traffic will be passed to Burp.\n8.\tBrowse to the application you want to test with a high privileged user.\n9.\tThe Autorize table will show you the request's URL and enforcement status.\n10.\tIt is possible to click on a specific URL and see the original/modified/unauthenticated request/response in order to investigate the differences.\n\n\n# Authorization Enforcement Status\nThere are 3 enforcement statuses:\n\n1.\tBypassed! - Red color\n\n2.\tEnforced! - Green color\n\n3.\tIs enforced??? (please configure enforcement detector) - Yellow color\n\nThe first 2 statuses are clear, so I won't elaborate on them.\n\nThe 3rd status means that Autorize cannot determine if authorization is enforced or not, and so Autorize will ask you to configure a filter in the enforcement detector tabs. There are two different enforcement detector tabs, one for the detection of the enforcement of low-privileged requests and one for the detection of the enforcement of unauthenticated requests.\n\nThe enforcement detector filters will allow Autorize to detect authentication and authorization enforcement in the response of the server by content length or string (literal string or regex) in the message body, headers or in the full request.\n\nFor example, if there is a request enforcement status that is detected as \"Authorization enforced??? (please configure enforcement detector)\" it is possible to investigate the modified/original/unauthenticated response and see that the modified response body includes the string \"You are not authorized to perform action\", so you can add a filter with the fingerprint value \"You are not authorized to perform action\", so Autorize will look for this fingerprint and will automatically detect that authorization is enforced. It is possible to do the same by defining content-length filter or fingerprint in headers.\n\n# Interception Filters\nThe interception filter allows you configure what domains you want to be intercepted by Autorize plugin, you can determine by blacklist/whitelist/regex or items in Burp's scope in order to avoid unnecessary domains to be intercepted by Autorize and work more organized.\n\nExample of interception filters (Note that there is default filter to avoid scripts and images):\n![interception-filters](https://raw.githubusercontent.com/Quitten/Autorize/refs/heads/master/interception-filters.png)\n\n\n# Authors\n- Barak Tawily, CTO @ [enso.security](https://enso.security/) by day, [Application Security Researcher](https://quitten.github.io/) by night, former Application Security Consultant @ [AppSec Labs](https://appsec-labs.com/)\n","funding_links":[],"categories":["\u003ca id=\"1233584261c0cd5224b6e90a98cc9a94\"\u003e\u003c/a\u003e渗透\u0026\u0026offensive\u0026\u0026渗透框架\u0026\u0026后渗透框架","\u003ca id=\"5dd93fbc2f2ebc8d98672b2d95782af3\"\u003e\u003c/a\u003e工具","\u003ca id=\"4230c7dcb571d29a706e9b753d5644e6\"\u003e\u003c/a\u003e工具"],"sub_categories":["\u003ca id=\"39e9a0fe929fffe5721f7d7bb2dae547\"\u003e\u003c/a\u003eBurp","\u003ca id=\"285c52a4e04dd2f86646c8e1235c9332\"\u003e\u003c/a\u003e工具"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fquitten%2Fautorize","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fquitten%2Fautorize","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fquitten%2Fautorize/lists"}