Testing Role-based Access Controls with Burp Compare Site Maps

When testing a web application with multiple roles, a common testing method is to access a resource with a privileged role, such as accessing http://example.com/admin/userlist.php as an administrator, and then trying to access the same resource as a non-privileged user.

For a large site with multiple roles this can be quite cumbersome. Luckily, Burp has a feature called Compare Site Maps which automates these tests. Basically, this function compares two site maps and highlights the differences. Some typical use-cases for this functionality are:

  • You can map the application using accounts with different privilege levels, and compare the results to identify functionality that is visible to one user but not the other.
  • You can map the application using a high-privileged account, and then re-request the entire site map using a low-privileged account, to identify whether access to privileged functions is properly controlled.
  • You can map the application using two different accounts of the same type, to identify cases where user-specific identifiers are used to access sensitive resources, and determine whether per-user data is properly segregated.

Burp explains this feature at https://portswigger.net/burp/help/target_sitemap_comparingmaps.html, but I’ll give a little detail about the subtle tweak you need to do to get this to work in some cases. First, you need to change your edit your cookie jar session handling rules to allow the Target to use the cookies in the cookie jar.

burp_comp_site_maps

My preferred way to use this feature is:

  1. Browse the entire application with a high privileged user, save the state, log out, restart Burp, and then login as a user with a different role.
  2. Right-click the target site in the Target tab and select Compare site maps. For Site Map 1, select Load from Burp state file, and load the previous state file.
  3. Load the in-scope items, and then it will ask you for the Site Map 2. For Site Map 2, select Request map 1 again in a different session context (configured in Options / Sessions).
  4. Select the defaults for the remaining screens unless you see something specific you want to change.

Burp will then compare the two site maps and highlight the differences. This makes it easier to just review any of the URLs that should be protected with access controls and review the responses. For example, the admin user might see a 200 OK when accessing http://example.com/admin/userlist.php, where the normal_user should see a 403 or something similar. But if normal_user receives 200 OK, you can take a look at the response to see if access was granted to an unauthorized user.

This feature provides two main benefits:

  1. It greatly speeds up the role-based testing process.
  2. The Burp Scanner (or any vulnerability scanner) will not catch these issues. This is huge, because finding vulnerabilities that stem from this type of analysis are why clients hire us instead of just buying a vulnerability scanner.

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *