UI Tweaks

[aress31]

Further to my previous ticket for an authentication matrix, I came up with this new idea. How about being able to set the current User context, let me try to explain.

Let's say I have the following user roles:

• Admin
• Operator
• User

The process would be the following:

1. I configure the extension with the relevant users and their association JWT token/session cookie
2. I manually craw the application as the Admin having access to endpoints and feature limited to this role
3. I do the same with the Operator
4. I do the same with the User

When crawling under the user roles listed above, there should be an option in the UI like a checkbox to select the current user roles for intercepted requests, this would cause the relevant column in the matrix table to be set to something like N/A or Select Context. This would create a compIete matrix of all available endpoints/features and the access rights of each configured users.

Exporting this as a CSV table and putting it in a pentest report would add a lot of value to customers. Also, this option would be amazing and simplify privileges escalations checks.

Please let me know what you think of this feature.

Note: In this case there will be no need for the drop original request button as the original request will be the one associated with the selected user context.

[simioni87]

Maybe I do not understand the use case, but I am still sure that you are able to do exactly the same stuff with the current implementation. In addition to the possibility to set a specific session to pause, you are able to check "Filter Requests with same Header(s)". Means if you are navigating through the web app, the requests are not repeated if for instance the same session cookie is set.

The Drop Original Request Function does really drop the Original Request. If this feature is activated the web app will of course not work as expected because all your requests will be dropped. Furthermore, there is no possibility to compare the Original Response with the Repeated One, because you don't have an Original Response... Activating this feature for general purposes would mean that the Auth Analyzer cannot be used as intended at all.

Please let me know if there is a missunderstanding from my side.

[aress31]

Thanks so much for this explanation this could indeed work, I need to test that!

Btw the extension is getting better and better, I would say some UI tweaks/improvements are well needed, see the buttons on the left and right side and the alignements of the different sections:

A few ideas for UI improvements (I am not designer so to take with a pinch of salt):

• There is a lot of Excludes (Filetypes, Path, Status Code, etc.), maybe there could be a more elegant way of displaying these options, maybe two input fields with type (Filetype, Path, etc.) and value or a drop-down menu or whatever is best for UX rather than all these checkboxes.
• And a few Only in (Proxy Traffic and in Scope), in a similar fashion than the point above could have an Include section with the above recommendations.
• Making all the buttons of the same size with centred text and leaving some bottom margin between each button.
• Could maybe add some colours to important button (the orange #D86633 used by burp would be nice) to emphasis important buttons/actions.
• For the Pause button, could be put just below Analyzer Running/Stopped and relabelled as Pause Analyzer/Resume Analyzer for the other button could be relabelled as Start Analyzer/Stop Analyzer.
• If all these configuration options dont fit in the single view, you could have multiple tabs only applying to the top section of the UI (meaning that the table and requests at the bottom would always be visible), could be called session and configuration tabs.
• There is too much padding for around the view, for small laptop screen (like my tiny fifteen inches screen) that's some pixel real estate lost, consider dividing the current value 2 or 3.
• NA should be N/A

• For the above, consider putting a vertical divider between the options on the left and right or else center everything with a left/right margin or equally distribute the items with the available width (whatever looks better)
• Also, not sure if it is a bug but the Sync Tabs does not seem to work for me.

For some new feature ideas, you could:

• Add a filter field on the table to search by keyword for specific host, endpoints, etc. That would cause the table to refresh and show only matching rows.

Also, some side questions whilst I am on it:

• What is the difference between, Only in Scope and Restrict to Scope? If it is to set a custom scope, what will happen if the Only in Scope is already checked?
• I dont understand the use case for drop original request if that would cause all these side effects, could you kindly explain me when I would need something like that?

Once again, I cannot stress enough how amazing this extension is it really streamlined my methodology for horizontal/vertical privileges escalation assessments and that is why I think it is important to really make it good and pleasing to the eyes, because I know that personally I will use it quite a lot once I get more accustomed to it. 😁

Note: You could take inspiration on Autorize for the UI for the config with the system of tabs.

[simioni87]

Sync Tabs
Activating Sync Tabs will auto change Request / Response Tab on the two Comparison Views.

Only in Scope vs. Restrict To Scope
Only In Scope: only process Requests which are in the defined Proxy Scope.
Restrict To Scope: Restricts one specific session to a Scope / Path. The Request will be processed but not repeated.

Drop Original Requests
Can be used for testing idempotent Operations (e.g., a DELETE API call).

For your inputs about the UI. Some of them I can take into consideration. Others I do not agree with you. To be honest, the Autorize UI is in many parts pretty confusing from my point of view. For instance, having a configuration tab and a session tab (two completely unsimilar components) would absolutely confusing me. Or splitting the global filters into different UI components (they are all used for similar stuff) is not intuitive from my point of view and would take more time to handle with.
It took me some of effort to create a GUI which is as easy understandable as possible. Despite a considerable number of functions, the GUI is not overloaded with buttons, labels and other stuff. And almost each component is explained with a tooltip. Currently not usable buttons and checkbox are disabled and each view component can be resized to a preferred size.

[aress31]

These are just some suggestions to take or leave ☺️.

And I confused "Sync Tabs" with "Sync Scroll", maybe worth implementing?

[simioni87]

Since the Burp IMessageEditor is in use unfortunately there is no direct access to the Scrollpane inside the component...

[aress31]

The good auld Burp API, they should export more functions. Anyway, thanks a lot for your replies and I am looking forward to seeing some UI tweaks, I will also check the method you described above of pausing a session.

Note: Pausing my current crawling session does indeed the work by displaying NA (btw that should be N/A) and allow me to identify under which user context I performed the crawling by a quick look at the results table. However, when ticking the Filter requests with same header(s) there is nothing that allow me to identify under which user the crawling was performed.

[simioni87]

I know that it should called N/A. I am not able to use a slash in the enum and I just use the toString method of the enum (sometimes humans are lazy).
About the "Filter Requests with same Header(s)":
Selecting this will not repeat a request in a session if the original request has exact the same header.
Header of Session1
Cookie: session=xxx
Header of Session2
Cookie: session=yyy

I have sent two requests:
First request with header Cookie: session=xxx and second Request with header Cookie: session=yyy. This is what I get in my table:

Note: The header must occur in the exact same way. If you send a request with Cookie: session=xxx; anythingelse=lorem the request would not be filtered...

Hope that helps

[aress31]

Thanks for the example! However, I am not able to reproduce this behaviour, the session is set with an "Authentication Bearer" token not sure if this use case is coveredd in your code.

Also, I know that the Burp API has helpers to extract and process cookies/headers. Might be worth looking at that - if not already implemented - so that even cookies/headers not occurring in the exact same way would yield the described behaviour.

[simioni87]

The content of the header does not matter. It just must be exact the same string. And if several headers are declared in your session, all headers must occur the exact same way.

Cookie extraction replacement is in use at the parameter function. This is not suitable for the "Filter Request with same Header" use case from my point of view.

[aress31]

@simioni87 just wondering what the status is for the UI refinements? 🙃

[simioni87]

Hi aress31
I did a few GUI changes with the latest Release (1.1.5)
Have Fun!

[aress31]

Thanks so much @simioni87 amazing job as always! Just reviewed this new released and I still got a few comments (take or leave 😀):

• Harmonise the case (Same, Similar, Different):
  
• You could consider moving Analyzer Stopped and Drop Original Requests just under the Filters options so that the config UI would be only three columns rather than four:
  
• Leave a bit of space between Analyzer Stopped and the pause icon.
• Could colour the New Session button with the orange (CB5927) used throughout BurpSuite to emphasis it a bit.
  
• Left align the column headers:
  

This is all I can think of at the minute, but the UI does look better already 😁

PS: Also, the bottom-margin value in:

Should be identical to:

And the bottom margin between New Session, Clone Session, Rename Session, Remove Session and Export Setup, Import Setup looks way to large, I reckon x2 or x4 the normal bottom-margin value (in order to mark a clear divide) could be more visually pleasing:

[simioni87]

The rest will be left as it is since almost each component has a well-thought-out reason to beeing on its place in the manner as it is. Nevertheless, thanks for your inputs and have fun!