mickayz
commented
5 years ago Thank you for your post. For anonymous roles I recommend including a user that has a cookie value equal to an empty string. For example:
User name | Cookies | ... | Anon | jsessionid= | ... |
See the following image from the readme for an example:
https://github.com/SecurityInnovation/AuthMatrix/blob/master/images/img1.png
Having used the plugin for few days now, I don't see an obvious way of creating an anonymous role.
I think it should be a straightforward feature to add and critical one. Even if you create a role called anonymous or something and you leave the cookie value empty, it will use the one from the original request.
Of course you can always strip this off with Burp rules.