-
Notifications
You must be signed in to change notification settings - Fork 47
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
UI Tweaks #7
Comments
Maybe I do not understand the use case, but I am still sure that you are able to do exactly the same stuff with the current implementation. In addition to the possibility to set a specific session to pause, you are able to check "Filter Requests with same Header(s)". Means if you are navigating through the web app, the requests are not repeated if for instance the same session cookie is set. The Drop Original Request Function does really drop the Original Request. If this feature is activated the web app will of course not work as expected because all your requests will be dropped. Furthermore, there is no possibility to compare the Original Response with the Repeated One, because you don't have an Original Response... Activating this feature for general purposes would mean that the Auth Analyzer cannot be used as intended at all. Please let me know if there is a missunderstanding from my side. |
Thanks so much for this explanation this could indeed work, I need to test that! Btw the extension is getting better and better, I would say some UI tweaks/improvements are well needed, see the buttons on the left and right side and the alignements of the different sections: A few ideas for UI improvements (I am not designer so to take with a pinch of salt):
For some new feature ideas, you could:
Also, some side questions whilst I am on it:
Once again, I cannot stress enough how amazing this extension is it really streamlined my methodology for horizontal/vertical privileges escalation assessments and that is why I think it is important to really make it good and pleasing to the eyes, because I know that personally I will use it quite a lot once I get more accustomed to it. 😁 Note: You could take inspiration on |
Sync Tabs Only in Scope vs. Restrict To Scope Drop Original Requests For your inputs about the UI. Some of them I can take into consideration. Others I do not agree with you. To be honest, the Autorize UI is in many parts pretty confusing from my point of view. For instance, having a configuration tab and a session tab (two completely unsimilar components) would absolutely confusing me. Or splitting the global filters into different UI components (they are all used for similar stuff) is not intuitive from my point of view and would take more time to handle with. |
These are just some suggestions to take or leave And I confused "Sync Tabs" with "Sync Scroll", maybe worth implementing? |
Since the Burp IMessageEditor is in use unfortunately there is no direct access to the Scrollpane inside the component... |
The good auld Burp API, they should export more functions. Anyway, thanks a lot for your replies and I am looking forward to seeing some UI tweaks, I will also check the method you described above of pausing a session. Note: Pausing my current crawling session does indeed the work by displaying |
Thanks for the example! However, I am not able to reproduce this behaviour, the session is set with an "Authentication Bearer" token not sure if this use case is coveredd in your code. Also, I know that the Burp API has helpers to extract and process cookies/headers. Might be worth looking at that - if not already implemented - so that even cookies/headers not occurring in the exact same way would yield the described behaviour. |
The content of the header does not matter. It just must be exact the same string. And if several headers are declared in your session, all headers must occur the exact same way. Cookie extraction replacement is in use at the parameter function. This is not suitable for the "Filter Request with same Header" use case from my point of view. |
@simioni87 just wondering what the status is for the UI refinements? 🙃 |
Hi aress31 |
Thanks so much @simioni87 amazing job as always! Just reviewed this new released and I still got a few comments (take or leave 😀):
This is all I can think of at the minute, but the UI does look better already 😁 PS: Also, the bottom-margin value in: And the bottom margin between |
The rest will be left as it is since almost each component has a well-thought-out reason to beeing on its place in the manner as it is. Nevertheless, thanks for your inputs and have fun! |
Further to my previous ticket for an authentication matrix, I came up with this new idea. How about being able to set the current User context, let me try to explain.
Let's say I have the following user roles:
Admin
Operator
User
The process would be the following:
Admin
having access to endpoints and feature limited to this roleOperator
User
When crawling under the user roles listed above, there should be an option in the UI like a checkbox to select the current user roles for intercepted requests, this would cause the relevant column in the matrix table to be set to something like
N/A
orSelect Context
. This would create a compIete matrix of all available endpoints/features and the access rights of each configured users.Exporting this as a CSV table and putting it in a pentest report would add a lot of value to customers. Also, this option would be amazing and simplify privileges escalations checks.
Please let me know what you think of this feature.
Note: In this case there will be no need for the drop original request button as the original request will be the one associated with the selected user context.
The text was updated successfully, but these errors were encountered: