Michelle-PortSwigger
commented
7 months ago Hi
Thanks for your sending your BCheck.
While we can see that this could be a really powerful and useful check, we feel that there is a risk of a high number of false positives from it on many sites, so unfortunately it isn't completely suitable for inclusion in the repo where users may bulk download and run BChecks.
There is also a risk that people may download this BCheck and not realize they need to add a token for the low-privileged user. We do want to thank you though, as this is sparking a few ideas here and we'll be having some further discussions to work out how we can take the idea of customizable templates further, so people can easily identify ones that need to be customized when creating and sharing BChecks.
viny666
This Bcheck template helps the tester to detect missing authorization in the application or APIs.
Note: Tester has to provide the "Low Privileged Access Token" in the Bcheck script.