SecurityInnovation/AuthMatrix

Load target configuration using simple format

Opened this issue · 3 comments

Deleted user commented

This is a feature request.

After adding roles and users, AuthMatrix allows you to save and load target configurations, which includes cookies and headers. In many cases, cookies need to be updated for obvious reasons and that's not a problem when you're dealing with a small number of users/roles. However, I came across a use case in which I needed to update more than 15 cookies corresponding to every single role in the application. I was going to work with this target for a while, so I wrote a node script to collect all the cookies programmatically, but unfortunately, I still needed to copy-paste in AuthMatrix.

I noticed that the current that AuthMatrix saves target configurations in JSON, but the output includes a lot of fields used internally and it doesn't seem straightforward to construct such output programmatically. Would it be possible to accept files that are easier to construct automatically? For example, something like this:

[
  { 
     "username": "user1",
     "cookies": "cookie=value; othercookie=value2",
     "headers": "myheader: myvalue",
     "roles": ["role1", "role2"]
   },
...
]

Alternatively, if this is already possible, I would appreciate if you could provide an example describing the output AuthMatrix is expecting in order to populate the different fields used in the extension.

Thanks!

mickayz commented

Thanks for the input. You are correct that the state file needs simplification.

In commit 6bc6e7 I have begun the process of modifying the "load state" functionality to be more forgiving of unexpected state file formats, specifically allow many of them to be optional and providing some feedback when it fails.

In the next week or two I will be constructing a new document describing a "minimum viable state file" that will describe the required fields and conditions. That should make it easier to automate the construction of AuthMatrix configurations.

Thank you for your patience :)

-Mick

Deleted user commented

Excellent. That is really helpful.