Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/karma9874/authinspector

Automated authorization checks with multiple headers tool written in golang
https://github.com/karma9874/authinspector

authorization bug-bounty golang privilege-escalation security-scanner security-testing security-tools

Last synced: 6 days ago
JSON representation

Automated authorization checks with multiple headers tool written in golang

Host: GitHub
URL: https://github.com/karma9874/authinspector
Owner: karma9874
License: agpl-3.0
Created: 2023-12-02T19:18:12.000Z (12 months ago)
Default Branch: main
Last Pushed: 2024-01-03T15:44:59.000Z (10 months ago)
Last Synced: 2024-05-02T02:21:09.829Z (7 months ago)
Topics: authorization, bug-bounty, golang, privilege-escalation, security-scanner, security-testing, security-tools
Language: Go
Homepage:
Size: 567 KB
Stars: 8
Watchers: 2
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# AuthInspector

[![Apache-2.0 License](https://img.shields.io/badge/license-Apache2.0-blue.svg)](http://www.apache.org/licenses/)
[![Twitter Follow](https://img.shields.io/twitter/follow/karma9874?label=Follow&style=social)](https://twitter.com/karma9874)
[![GitHub followers](https://img.shields.io/github/followers/karma9874?label=Follow&style=social)](https://github.com/karma9874)

AuthInspector is a Golang tool designed for hassle-free authorization and authentication checks. By extracting request details from BurpSuite export, it performs thorough authorization checks based on user-provided headers for each request with Goroutines in place for speedy processing, and provides results in a simple CSV file with all details.

# Work flow

# Installation

**Easy Installation**: You can download the prebuilt binary from the [releases](https://github.com/karma9874/AuthInspector/releases) page.

**Go Install**: `go install github.com/karma9874/AuthInspector@latest`

**Go Build**: `go get && go build`

# Usage

1. Begin by capturing web requests using the high-level account.
2. Once your website browsing is complete, export the requests by navigating to `Target -> Site map -> selecting the URL -> Right Click and Save Selected Item`.
3. Create an init.yaml file with the following configurations:
* `source:` Specify the name of the exported file from the previous step.
* `auth:` Define the header responsible for authentication (e.g., Cookie, Authorization header, custom).
* `filterMimeType:` Include requests containing the specified MIME type.
* `headers:` Optionally provide global headers, influencing requests containing this header.

AuthInspector provides the following commands for customization:
```
-proxy Set up a proxy for testing.
-respBody Include response body in the output
-reqBody Include request body in the output.
-timeout Set the timeout for requests.
-threads Specify the number of concurrent threads.
-listmime Lists the available mimetypes from the burp exported file
-verbose Verbose output
```

**Running AuthInspector**

```
AuthInspector.exe -respBody -reqBody
```

**Config Template**
```yaml
# Burp XML file name to be used in the authentication testing process.
source: example.xml

# Headers with authentication information.
auth:
- header_key: header_value
- header_key: header_value
- dummy_header: dummy_value # Do not remove this header (use to check unauthenticated requests)

# Mime types(case sensitive, for more details list mime type check -listmime mode). The tool will focus on checking authentication issues only on specified mime types.
filterMimeTypes:
- JSON
- XML

# Global headers to be included in all requests.
headers:
- User-Agent: "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36"
- API-KEY: some_key
```