SessionProbe is a multi-threaded pentesting tool designed to assist in evaluating user privileges in web applications. It takes a user's session token and checks for a list of URLs if access is possible, highlighting potential authorization issues. SessionProbe deduplicates URL lists and provides real-time logging and progress tracking.
SessionProbe is intended to be used with Burp Suite's "Copy URLs in this host" functionality in the Target tab (available in the free Community Edition).
Note: You may want to change the filter in Burps's Target tab to include files or images. Otherwise, these URLs would not be copied by "Copy URLs in this host" and would not be tested by SessionProbe.
Help is built-in!
sessionprobe --help- outputs the help.
Usage:
sessionprobe [flags]
Flags:
-u, --urls string file containing the URLs to be checked (required)
-H, --headers string HTTP headers to be used in the requests in the format "Key1:Value1;Key2:Value2;..."
-h, --help help for sessionprobe
--ignore-css ignore URLs ending with .css (default true)
--ignore-js ignore URLs ending with .js (default true)
-o, --out string output file (default "output.txt")
-p, --proxy string proxy URL (default: "")
-r, --filter-regex string exclude HTTP responses using a regex. Responses whose body matches this regex will not be part of the output.
-l, --filter-lengths string exclude HTTP responses by body length. You can specify lengths separated by commas (e.g., "123,456,789").
--skip-verification skip verification of SSL certificates (default false)
-t, --threads int number of threads (default 10)
--check-all Check POST, DELETE, PUT & PATCH methods (default false)
--check-delete Check DELETE method (default false)
--check-patch Check PATCH method (default false)
--check-post Check POST method (default false)
--check-put Check PUT method (default false)
Examples:
./sessionprobe -u ./urls.txt
./sessionprobe -u ./urls.txt --out ./unauthenticated-test.txt --threads 15
./sessionprobe -u ./urls.txt -H "Cookie: .AspNetCore.Cookies=<cookie>" -o ./output.txt
./sessionprobe -u ./urls.txt -H "Authorization: Bearer <token>" --proxy http://localhost:8080
./sessionprobe -u ./urls.txt -r "Page Not Found"
./sessionprobe -u ./urls.txt -H "Cookie: .AspNetCore.Cookies=<cookie>;Cookie: <another-cookie>=<another_value>"
- Navigate into the directory where your
URLs fileis. - Run the below command:
docker run -it --rm -v "$(pwd):/app/files" --name sessionprobe fw10/sessionprobe [flags]
- Note that we are mounting the current directory in. This means that your
URLs filemust be in the current directory and youroutput filewill also be in this directory. - Also remember to have a
Burp listenerrun on all interfaces if you want to use the--proxyoption
- You can simply run this tool from source via
go run . - You can build the tool yourself via
go build - You can build the docker image yourself via
docker build . -t fw10/sessionprobe
- To run the tests, run
go testorgo test -v(for more details)
- Test for authorization issues
- Automatically dedupes URLs
- Sorts the URLs by response status code and extension (e.g.,
.css,.js), and provides the length - Multi-threaded
- Proxy functionality to pass all requests e.g. through
Burp - ...
Responses with Status Code: 200
https://example.com/<some-path> => Length: 12345
https://example.com/<some-path> => Length: 40
...
Responses with Status Code: 301
https://example.com/<some-path> => Length: 890
https://example.com/<some-path> => Length: 434
...
Responses with Status Code: 302
https://example.com/<some-path> => Length: 0
...
Responses with Status Code: 404
...
Responses with Status Code: 502
...
- The
Releasessection contains some already compiled binaries for you so that you might not have to build the tool yourself - For the
Mac releases, your Mac may throw a warning ("cannot be opened because it is from an unidentified developer")- To avoid this warning in the first place, you could simply build the app yourself (see
Setup) - Alternatively, you may - at your own risk - bypass this warning following the guidance here: https://support.apple.com/guide/mac-help/apple-cant-check-app-for-malicious-software-mchleab3a043/mac
- Afterwards, you can simply run the binary from the command line and provide the required flags
- To avoid this warning in the first place, you could simply build the app yourself (see
If you find a bug, please file an Issue right here in GitHub, and I will try to resolve it in a timely manner.
