| description |
|---|
Finding authorization issues with autorize |
- Login to the target application as a low or non-privileged user
- Visit the Autorize tab in burp, keep it off during configuration
- Click Configuration
- Click Fetch cookies from last request
- Open an incognito window in your browser
- Login as a higher privileged user
- Click "Autorize is off" button to turn it on
- Visit various areas of the site, but focus on sensitive areas that require privileged accounts to access or actions a lower privileged user should not be able to accomplish
- Frown at the results until you find something interesting.