False positive Enforcement

[yeln4ts]

There is a specific case of false positive in the check_bypass function.

I encountered a web application which returns a 302 and redirect to / but also returns the privileged data in the body. So it's categorized as "Enforced" but actual sensitive data is still returned.

I understand that it's there so that it works out of the box without having to define enforcement filters, but it would be great to have an option to just bypass this check and only use enforcement filters.

[Quitten]

Interesting point, Ill make some research and see what is the ideal solution, will keep you posted, thanks for reporting this

[sule01u]

authorization/authorization.py

allowed_status_codes = ["200", "302", "301", "303", "307", "308"]
if newStatusCode not in allowed_status_codes:
return self.ENFORCED_STR

What about adding this logic? (other status codes do not seem to need to be checked)

[Quitten]

But if the new status code is still 302, it will return True and will be marked as enforced, im not sure how it helps

[sule01u]

But if the new status code is still 302, it will return True and will be marked as enforced, im not sure how it helps

Here's what I think:
Remove the judgment that the response code is equal, and then the response status code is not within the range of the list definition, directly marked as enforced. That is, the bypass in the list is identified by matching the user-defined enforced rule or matching the response body

[risuxx]

The same issue can also be found in the PortSwigger lab at this link: https://portswigger.net/web-security/access-control/lab-multi-step-process-with-no-access-control-on-one-step. When using Autorize for testing, the observed behavior is that replacing the cookie causes the original request to return a 302 status with a body length of 0. However, when no cookie is present, it returns a 401 status.