### Install AutorizePro Plugin Source: https://github.com/wuliruler/autorizepro/blob/master/README.md A guide on how to install the AutorizePro plugin into Burp Suite. It involves downloading the plugin, selecting 'python' as the extension type, and specifying the path to the AutorizePro.py file. ```English 1. Download the latest release zip package of the code repository and extract it. 2. Open Burp Suite, navigate to Extender -> Extensions -> Add. 3. In the Extension Type selection box, choose 'python'. 4. In the Extension file selection box, choose the path to the AutorizePro.py file in the code repository (Note: the path cannot contain Chinese characters, otherwise the installation will fail). ``` -------------------------------- ### Install Jython for Burp Suite Source: https://github.com/wuliruler/autorizepro/blob/master/README.md This section details the steps to download Burp Suite and the Jython standalone JAR file, which is necessary for configuring Burp Suite's Python environment to run Python-based extensions like AutorizePro. ```English 1. Download Burp Suite: https://portswigger.net/burp/releases 2. Download Jython standalone JAR file: https://www.jython.org/download.html ``` -------------------------------- ### Install Jython for Burp Suite Source: https://github.com/wuliruler/autorizepro/blob/master/README_en.md This section details the steps to download Burp Suite and the Jython standalone JAR file, which is a prerequisite for configuring Burp Suite's Python environment for the AutorizePro plugin. ```Shell 1. Download Burp Suite: https://portswigger.net/burp/releases 2. Download the Jython standalone JAR file: https://www.jython.org/download.html ``` -------------------------------- ### Install AutorizePro Plugin Source: https://github.com/wuliruler/autorizepro/blob/master/README_en.md Steps to install the AutorizePro plugin into Burp Suite by adding the Python script file via the Extender interface. ```Shell 1. Download the latest release ZIP package from the code repository, extract it locally. 2. Open Burp Suite, navigate to Extender -> Extensions -> Add. 3. In the Extension Type dropdown, select python. 4. In the Extension File field, choose the path to the `AutorizePro.py` file from the repository. ``` -------------------------------- ### Configure Burp Suite Python Environment Source: https://github.com/wuliruler/autorizepro/blob/master/README.md Instructions on how to set up the Python environment within Burp Suite by selecting the downloaded Jython standalone JAR file. This is a prerequisite for loading Python extensions. ```English 1. Open Burp Suite 2. Navigate to Extender -> Options 3. In the Python Environment section, click Select File 4. Select the Jython standalone JAR file (e.g., jython 2.7.3) ``` -------------------------------- ### AutorizePro Plugin Usage - Configuration Source: https://github.com/wuliruler/autorizepro/blob/master/README.md Steps for configuring the AutorizePro plugin, including inserting authentication headers, enabling/disabling unauthenticated checks, and enabling AI analysis by selecting a model and providing an API key. ```English 1. Open the configuration tab: Click AutorizePro -> Configuration. 2. Copy the second account authentication header into the text box labeled 'Insert injected header here'. If the request already contains this header, the plugin will replace it; otherwise, it will add a new one. 3. If you do not need to test for unauthorized access (i.e., requests without any cookies), you can uncheck 'Check unauthenticated' (unauthorized detection is enabled by default). 4. Select the model, fill in the corresponding API Key, and then check the checkbox to enable AI analysis. The results will be displayed in the left-side AI. Analyzer column. 5. Click the 'AutorizePro is off' button to enable the plugin and start testing. ``` -------------------------------- ### Configure AutorizePro Plugin Settings Source: https://github.com/wuliruler/autorizepro/blob/master/README_en.md Guidance on configuring the AutorizePro plugin, including pasting authorization headers, managing unauthenticated testing, and enabling AI analysis with API keys. ```Shell 1. Open the configuration tab: click AutorizePro -> Configuration. 2. Paste the second account’s authorization header into the textbox labeled “Insert injected header here”. Note: If the header already exists in the request, it will be replaced; otherwise, it will be added as a new header. 3. If you do not want to perform unauthenticated testing (i.e., requests without any cookies), uncheck Check unauthenticated (enabled by default). 4. Select an AI model and enter the corresponding API Key. Then, check the checkbox to enable AI Analysis. Results will appear in the left-side AI. Analyzer column. 5. Click the AutorizePro is off button to enable the plugin and start testing. ``` -------------------------------- ### Configure Burp Suite Python Environment Source: https://github.com/wuliruler/autorizepro/blob/master/README_en.md Instructions on how to configure Burp Suite's Extender options to use the downloaded Jython JAR file, enabling Python-based extensions like AutorizePro. ```Java 1. Open Burp Suite. 2. Navigate to Extender -> Options. 3. In the Python Environment section, click Select File. 4. Choose the Jython standalone JAR file you just downloaded (This project tests the env is: jython 2.7.3, burp suite 2024.11(The built-in java version is java22)). ``` -------------------------------- ### AutorizePro Plugin Usage - AI Analysis Cost Source: https://github.com/wuliruler/autorizepro/blob/master/README.md Information regarding the cost implications of using the AI analysis feature. It outlines the conditions under which AI analysis is performed (status code equality, JSON response, response length) and advises on configuring interception filters to manage costs. ```English AI analysis is only performed on packets with equal status codes, JSON responses, and response lengths between 50-6000 characters. Configure interception filters in Interception Filters to specify target sites or requests with specific characteristics to avoid unnecessary AI analysis costs. Support for multiple AI model providers: obtain API keys from providers like Alibaba Cloud and configure them in the plugin. ``` -------------------------------- ### AutorizePro Interception Filters Configuration Source: https://github.com/wuliruler/autorizepro/blob/master/README.md Guidance on configuring interception filters to control which requests AutorizePro intercepts. This includes using blacklists, whitelists, regular expressions, or Burp's scope to refine the analysis scope and avoid unnecessary processing. ```English Configure interception rules in Interception Filters to specify which domains or requests with specific characteristics the plugin should intercept. Supports blacklists, whitelists, regular expressions, or items within Burp's scope to define the interception range. Security Tip: Due to cookie replacement and replaying, it is strongly recommended to specify target sites in Interception Filters to prevent cookie leakage to other sites. The tool ignores requests for static resources, HTML, and error responses by default. ``` -------------------------------- ### AutorizePro Detection Status Meanings Source: https://github.com/wuliruler/autorizepro/blob/master/README.md Explanation of the different detection status indicators used by AutorizePro: 'Bypassed!' (red) for detected authorization bypass, 'Enforced!' (green) for no detected bypass, and 'Is enforced???' for uncertain cases. ```English - Bypassed! (Red): Determined to be an authorization bypass. - Enforced! (Green): Determined that authorization bypass does not exist. - Is enforced???: Unable to determine. You can configure authorization characteristics in the enforcement detector/authenticated rules to assist in judgment. ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.