Skip to content

Releases: WuliRuler/AutorizePro

AutorizePro V1.4 发布啦 🎉

08 Dec 13:28
@sule01u sule01u
v1.4
7ebc18c
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
AutorizePro V1.4 发布啦 🎉 Latest
Latest

V1.4 版本更新内容

  • bug fix
  • 删除使用AI进行公共接口过滤逻辑,增大误报 换取 更低漏报
  • 增加对uri中路径的替换支持:比如:https://xxxx.com/aaa, 替换规则语法为:path:aaa=bbb,则重放请求则为https://xxxx.com/bbb
  • 参数替换越权逻辑优化:启用参数替换测试越权模式时,未发生参数替换的请求(说明两次请求一模一样)直接返回enforce, 只有两次请求发生变化的才会进行下一步分析对比。( 间接的也把公共接口成功排除掉 )
  • 去除bypass状态码相等的逻辑,只要在200,30x列表范围内的状态码都认为正常,并按照后续逻辑进行响应对比(避免了3xx状态的漏报)

📌 欢迎继续通过 issue / email 反馈你的使用效果, 让我们一起持续优化工具

V1.4 Update Notes

  • bug fixes
  • Removed the AI-based public interface filtering logic. This change increases false positives in exchange for reduced false negatives.
  • Added support for replacing paths in URIs: For example, https://xxxx.com/aaa with the replacement rule syntax path:aaa=bbb will result in the replayed request being https://xxxx.com/bbb.
  • Enhanced parameter replacement authorization logic: When parameter replacement testing is enabled, requests that are identical (no parameter changes) are immediately marked as "enforced". Only requests with changes proceed to the next analysis and comparison step. ( Indirectly, the public interface is successfully excluded )
  • Removed the logic for comparing bypassed status codes as identical. Any status code within the 200 or 30x range is now treated as valid and processed in subsequent response comparisons. This avoids missing 3xx status codes.

📌 We welcome continued feedback on your experience via issues or email, let’s work together to continuously optimize the tool

Assets 2
Loading

AutorizePro V1.3 发布啦 🎉

02 Dec 03:41
@sule01u sule01u
v1.3
56a7adf
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
AutorizePro V1.3 发布啦 🎉

V1.3 版本发布说明

  • 新增支持通过参数替换的方式测试越权 ( 即相同cookie请求不同资源 )
  • 新增对参数测试越权方式接入AI分析,结果同样显示在AI. Analyzer列
  • 新增多个主流模型支持,用户只需选择模型并填写对应的api-key即可使用
  • 根据历史 bad case 优化模型越权分析的 prompt
  • 为AI分析增加友好格式(json)的日志打印,你可以在插件安装界面的控制台 或 保存到指定文件查看(也方便大家反馈具体的bad case细节以提升分析准确性)

📌 欢迎继续通过 issue / email 反馈你的使用效果

V1.3 Release Notes

  • Added support for testing authorization bypass through parameter substitution (using the same cookie).
  • Integrated AI analysis for parameter-based authorization bypass testing, with results displayed in the AI Analyzer column.
  • Added support for multiple mainstream AI models. Users only need to select a model and provide the corresponding API key to use.
  • Optimized the model's authorization bypass analysis prompts based on historical bad cases.
  • Add log printing in a user-friendly format (json) for AI analysis, which can be viewed in the console of the plug-in installation interface or saved to a specified file.(This makes it convenient for users to provide detailed feedback on specific issues, helping to improve the accuracy of the analysis.)

📌 Feel free to share your feedback via issue/email about your experience!

Assets 2
Loading

AutorizePro V1.2 发布啦 🎉

18 Nov 11:24
@sule01u sule01u
v1.2
201abd0
Compare
Choose a tag to compare
AutorizePro V1.2 发布啦 🎉

V1.2 版本发布说明

  • 根据历史用户反馈优化了未授权的检测 && 越权检测逻辑
  • 配置界面的上下分割符可任意调整位置,便于配置展示
  • 配置界面的按钮统一增加到下方
  • 文本框部分增加纵向 && 横向 滚动条,方便查看修改
  • Table Filter (状态过滤栏) 增加对AI分析结果列的过滤配置选项

📌 欢迎继续通过 issue / email 反馈你的使用效果

V1.2 Release Notes

  • Optimized unauthorized detection and privilege escalation logic based on historical user feedback
  • The separator in the configuration interface can now be adjusted freely to improve configuration display
  • Buttons in the configuration interface have been unified and moved to the bottom
  • Added vertical and horizontal scrollbars to text boxes for easier viewing and editing
  • Table Filter (Status Filter Bar) now supports status filtering for the AI analysis result column

📌 Feel free to continue providing your feedback via issue/email

Assets 2
Loading

AutorizePro V1.1 发布啦 🎉

03 Nov 16:06
@sule01u sule01u
v1.1
10d8c36
Compare
Choose a tag to compare
AutorizePro V1.1 发布啦 🎉

V1.1 版本更新说明

  • AI分析模块:
    • 分析所有json响应的接口(不包括状态码不相等的) 🛒
    • 由仅分析接口响应 升级为:📈 全面分析请求url特征、请求body特征 以及 完整响应
    • 结合历史反馈进一步优化响应分析流程 ❤️‍🔥
  • 修复了一些其他问题

效果升级

  • 排除公共接口,需要人工分析的比例在之前基础上进一步降低60%
  • 结合历史反馈升级AI模块分析流程的,准确率进一步提高,准确率90%
  • 最终您只需要花费很少的精力去关注那些AI给出的存在越权的接口,将精力更多释放在发现新接口上吧!

📌 欢迎继续通过 issue / email 反馈你的使用效果

V1.41Update Notes

  • AI Analysis Module:
    • Analyzed all JSON response interfaces 🛒
    • Upgraded from only analyzing interface responses to: 📈 comprehensive analysis of request URL features, request body features, and complete responses
    • Further optimized the response analysis process in combination with historical feedback ❤️‍🔥
  • Fixed some other issues

Effect Upgrade

  • Excluding public interfaces, the proportion requiring manual analysis is further reduced by 60% from the previous basis
    • Combined with historical feedback to upgrade the AI module analysis process, the accuracy rate is further improved, and the accuracy rate is 90%
  • Ultimately, you only need to spend minimal effort on interfaces flagged by AI for potential overreach, allowing you to focus more on discovering new interfaces!

📌 Feel free to continue providing feedback on your usage through issues or email.

Assets 2
Loading

AutorizePro V1.0 发布啦 🎉

22 Oct 15:42
@sule01u sule01u
v1.0
e50f300
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
AutorizePro V1.0 发布啦 🎉

主要功能:

  • 自动化越权检测:工具自动完成越权、未授权的检测,用户只需要替换对应站点低权限的认证头即可。
  • AI 分析模块:启用AI分析之后,会通过 AI 分析两次请求响应差异并给出越权判断结果,解决了无法使用规则覆盖多种越权检测特征的问题,将工具原始的误报率降低了90%以上。
  • 支持配置指定的拦截站点:支持自定义过滤器,可通过配置特征让插件专注于特定的 HTTP 请求和响应的越权检测,减少不必要的干扰。
  • 支持配置越权特征指纹:支持自定义配置已做鉴权的响应特征,便于区分出已鉴权的接口。
  • 用户友好界面:在 Burp Suite 中提供简单的配置和结果展示页面,展示页可查看越权测试、未授权测试、AI判定的结果,使用不同颜色区分检测结果的状态,使结果一目了然。

安装 && 使用方法:

详细的安装使用说明请参考 README文件

已知问题:

  • 本版本已通过本地多次测试,没有重大已知问题。如果你遇到任何 bug 或 提出建议,请在 GitHub Issues 上反馈。

感谢使用 [ 📌 AutorizePro ] ! 期待你的反馈、贡献、称赞。

Key Features:

  • Automated Authorization Bypass Detection: The tool automatically performs privilege escalation and unauthorized access detection. Users only need to replace the authentication header with one of a lower-privilege account for the target site.
  • AI Analysis Module: When enabled, AI analyzes the differences in request responses to provide more accurate authorization bypass judgments, reducing false positives by over 95%.
  • Support for Configurable Filters: Users can define custom filters to focus the plugin on specific HTTP requests and responses, reducing unnecessary noise in the detection process.
  • Customizable Authorization Fingerprints: Supports custom configuration of response signatures indicating authorized access, making it easier to identify authenticated interfaces.
  • User-Friendly Interface: Provides a simple configuration and result display page within Burp Suite, allowing users to view privilege escalation tests, unauthorized access tests, and AI-based assessments. Different colors highlight the status of detection results for quick and easy reference.

Installation & Usage:

For detailed installation and usage instructions, please refer to the README file.

Known Issues:

  • This version has no major known issues. If you encounter any bugs or have suggestions, please report them on GitHub Issues.

Thank you for using [ 📌 AutorizePro ] ! We look forward to your feedback, contributions, and support.

Assets 2
Loading