DEV.co
Open-Source Security · WuliRuler

AutorizePro

AutorizePro is a Burp Suite extension for detecting authorization bypass vulnerabilities (IDOR, broken access control) using AI-assisted analysis to reduce false positives. It supports custom API endpoints, including local models, and generates test reports in HTML/CSV format.

Source: GitHub — github.com/WuliRuler/AutorizePro
608
GitHub stars
33
Forks
Python
Primary language
Apache-2.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
RepositoryWuliRuler/AutorizePro
OwnerWuliRuler
Primary languagePython
LicenseApache-2.0 — OSI-approved
Stars608
Forks33
Open issues5
Latest releaseV1.5 (2025-06-15)
Last updated2026-01-18
Sourcehttps://github.com/WuliRuler/AutorizePro

What AutorizePro is

Python-based Burp plugin that automates authorization testing by injecting alternative credentials/tokens and comparing responses. Integrates optional LLM analysis (OpenAI-compatible APIs, Ollama, or vendor models) to classify enforced vs. bypassed access controls, filtering static resources and non-JSON responses by default.

Quickstart

Get the AutorizePro source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/WuliRuler/AutorizePro.gitcd AutorizePro# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Security Researcher / Bug Bounty Workflow

Rapidly identify IDOR and broken access control vulnerabilities during black-box testing and SRC engagement; AI analysis reduces manual review from 95% false-positive baseline to ~5%, enabling faster triage of high-signal findings.

Penetration Testing Automation

Automate authorization enforcement checks across multi-tenant or role-based access control systems; supports parameter-based and header-based injection, with configurable domain filtering to scope testing and control API costs.

Internal Security Auditing with Data Privacy

Deploy local LLM analysis (Ollama, self-hosted) or company private models to avoid sending test data to third-party cloud APIs; meets compliance requirements for sensitive environments.

Implementation considerations

  • Confirm Burp Suite version (2024.11+) and Java environment (Java 22) before deployment; Jython standalone JAR download and path configuration are mandatory setup steps.
  • Establish domain whitelist/blacklist rules in Interception Filters to prevent accidental credential leakage to out-of-scope sites and to control LLM API consumption.
  • Configure second user/admin credentials and injection points (header, parameter) in the Configuration tab; validate test requests manually before scaling to production targets.
  • For AI analysis, choose between cloud APIs (OpenAI, Aliyun Qianwen) with API keys or self-hosted models (Ollama) with no external data egress; test prompt parsing on sample responses first.
  • Monitor tool logs for AI reasoning and false-positive patterns; adjust enforcement detection rules in the 'already authenticated rules' section iteratively.

When to avoid it — and what to weigh

  • No Burp Suite / Jython Environment — Requires Burp Suite (tested on 2024.11) with Jython 2.7.3+; cannot run standalone or as a CLI tool. Requires Java 22+ compatibility.
  • Windows Path Constraints — Installation fails if file paths contain Chinese or other non-ASCII characters; may cause friction in non-English environments or shared team setups.
  • Minimal API Response Variability — Tool is optimized for JSON responses (50–6000 bytes); non-JSON APIs, GraphQL, or highly variable status codes reduce effectiveness. Requires manual tuning for edge-case response patterns.
  • Cost Sensitivity Without Scoping — AI analysis incurs per-request LLM costs (0.38¥ per day reported in documentation); without strict domain/rule filtering, costs can accumulate on broad scans.

License & commercial use

Licensed under Apache License 2.0 (Apache-2.0), an OSI-approved permissive open-source license allowing commercial use, modification, and distribution with attribution and no warranty.

Apache-2.0 permits commercial use in theory. However, the README includes a supplementary disclaimer stating that users are solely responsible for legal compliance and authorization; unauthorized testing is prohibited. Commercial deployment requires independent legal review to ensure compliance with local regulations and client authorization frameworks. Verify organizational liability coverage when using AI-enhanced analysis to identify vulnerabilities.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationStrong
License clarityClear
Deployment complexityModerate
DEV.co fitGood
Assessment confidenceHigh
Security considerations

Tool performs credential injection and request replay, increasing breach risk if misconfigured. Strong recommendation to scope target domains strictly to prevent cookie/token leakage. AI analysis may expose sensitive request/response data to third-party LLM APIs (mitigated by self-hosted model option). No cryptographic signing or audit logging of test activities; ensure isolated test environment to avoid production impact. Jython/Python execution within Burp poses supply-chain risk if dependencies or extension source are compromised.

Alternatives to consider

Autorize (Original)

Predecessor tool that performs authorization testing without AI; lighter weight but higher false-positive rate; useful if AI cost/data privacy is prohibitive.

OWASP ZAP + Authorization Plugin

Free, open-source alternative with community-driven authorization testing; less specialized than AutorizePro but integrates with broader DAST pipeline; no built-in LLM support.

Burp Suite Pro Native Scanner

Built-in authorization testing capabilities in Burp; no separate plugin required; less customizable AI integration but tightly coupled with proxy/repeater workflow.

Software development agency

Build on AutorizePro with DEV.co software developers

AutorizePro integrates AI-driven vulnerability detection into Burp Suite, cutting false-positive analysis by 95%. Ideal for penetration testers, security researchers, and SRC hunters. Deploy with local LLMs for data privacy or cloud APIs for convenience. Evaluate the tool for your next engagement.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

AutorizePro FAQ

Can I use AutorizePro without enabling AI?
Yes. By default, the tool runs rule-based authorization detection (checking response status codes, JSON formatting, length). AI is optional and only activates when the 'Enable AI' checkbox is ticked. This is useful for teams avoiding LLM API costs or data egress.
What are the API costs for AI analysis?
Documented example: ~0.38¥ (≈$0.05 USD) per day of continuous testing. Costs vary by vendor (OpenAI, Aliyun Qianwen) and model selected. Tool filters to JSON responses 50–6000 bytes to minimize unnecessary API calls. Strict domain filtering is recommended to control spend.
Can I deploy AutorizePro with a local LLM to avoid cloud APIs?
Yes. The tool supports custom OpenAI-compatible API endpoints, including Ollama and self-hosted models. Set 'URL: http://localhost:11434/v1/chat/completions', leave 'KEY' empty, and input model name. Data remains local; no third-party API calls occur.
Is AutorizePro legally safe to use?
The tool itself is neutral; legal responsibility lies with the user. The README disclaimer explicitly states that unauthorized testing is prohibited. Ensure you have written authorization from the target organization before conducting any authorization testing. Legal review is advised for commercial deployment.

Software development & web development with DEV.co

From first prototype to production, DEV.co delivers software development services around tools like AutorizePro. Our software development agency staffs experienced software developers and web developers for custom software development, web development, integrations, and ongoing support across open-source security and beyond.

Enhance Your Authorization Testing Workflow

AutorizePro integrates AI-driven vulnerability detection into Burp Suite, cutting false-positive analysis by 95%. Ideal for penetration testers, security researchers, and SRC hunters. Deploy with local LLMs for data privacy or cloud APIs for convenience. Evaluate the tool for your next engagement.