terminalJunki3
commented
2 years ago Hey @tarunKoyalwar, any chance you can add an example with a couple images to help highlight your use case? That will help with the development process. Thanks!
Closed tarunKoyalwar closed 2 years ago
terminalJunki3
commented
2 years ago Hey @tarunKoyalwar, any chance you can add an example with a couple images to help highlight your use case? That will help with the development process. Thanks!
tarunKoyalwar
commented
2 years ago As per my knowledge If a request should be ignored by Autorize or should be checked for IDOR depends on the given interception filters .
Autorize does not have any interception filter option which matches response header . something like
Matches Response Header .
From my bug hunting experience I can tell that usually any user information or operation or graphql or any other useful information is returned in json . And usually IDOR exists in similar cases .
Currently I have to use URL Contains and URL Not Contains regex mode to filter unnecessary requests from Autorize and I have to change these for each project .
If a New Option Matches Response Header is added to Interception FIlters matching a header like Content-Type: application/json would remove pointless requests to be sent to Autorize and reduce traffic .
Pls let me know if you need any other information @terminalJunki3 @Quitten
terminalJunki3
commented
2 years ago @tarunKoyalwar great explanation and supplemental information. Looking into a solution.
terminalJunki3
commented
2 years ago @tarunKoyalwar just submitted a pull request to update the filter names, but it looks like the functionality exists in the current code base. I'm not sure what version you are running but if you pull this current project you should see something called "Header Contains" and "Header doesn't contain" in the inception filters. These are actually referring to the response headers, although it doesn't specify that, hence the submitted pull request.
Please let me know if this resolves your issue.
What it will look like
tarunKoyalwar
commented
2 years ago Apologies , It looks like I was using Autorize extension from Bapp Store . It is outdated!!
Hii,
Currently autorize does not have a interception filter where it is possible to match certain headers in response . Currently I am working on a program which responds with lot of HTML pages and any sensitive response returned by server is usually a JSON response .
It would be great if autorize can intercept if content-type of response is
application/json.