Closed tarunKoyalwar closed 2 years ago
Hey @tarunKoyalwar, any chance you can add an example with a couple images to help highlight your use case? That will help with the development process. Thanks!
As per my knowledge If a request should be ignored by Autorize or should be checked for IDOR depends on the given interception filters .
Autorize does not have any interception filter option which matches response header . something like
Matches Response Header
.
From my bug hunting experience I can tell that usually any user information or operation or graphql or any other useful information is returned in json . And usually IDOR exists in similar cases .
Currently I have to use URL Contains
and URL Not Contains
regex mode to filter unnecessary requests from Autorize and I have to change these for each project .
If a New Option Matches Response Header
is added to Interception FIlters matching a header like Content-Type: application/json
would remove pointless requests to be sent to Autorize and reduce traffic .
Pls let me know if you need any other information @terminalJunki3 @Quitten
@tarunKoyalwar great explanation and supplemental information. Looking into a solution.
@tarunKoyalwar just submitted a pull request to update the filter names, but it looks like the functionality exists in the current code base. I'm not sure what version you are running but if you pull this current project you should see something called "Header Contains" and "Header doesn't contain" in the inception filters. These are actually referring to the response headers, although it doesn't specify that, hence the submitted pull request.
Please let me know if this resolves your issue.
What it will look like
Apologies , It looks like I was using Autorize extension from Bapp Store . It is outdated!!
Hii,
Currently autorize does not have a interception filter where it is possible to match certain headers in response . Currently I am working on a program which responds with lot of HTML pages and any sensitive response returned by server is usually a JSON response .
It would be great if autorize can intercept if content-type of response is
application/json
.