Authorization Scanner

The Authorization Scanner — authz — is Hugin’s Autorize-equivalent. Replay every captured flow with different authentication contexts (admin / regular user / no auth) and diff the responses to find access control failures.

It’s the single highest-ROI scanner in Hugin for finding real bugs: missing access control, BOLA / IDOR, privilege escalation, unauthenticated admin endpoints, role confusion. If you only run one scanner against a target, run this one.

🔗How It Works

  1. Capture flows authenticated as User A (e.g. admin).
  2. Define auth contexts — per-context, the headers/cookies/params that distinguish that auth state.
  3. The scanner replays every captured flow with each defined context substituted in.
  4. Diffs the response of each replay against the original.
  5. Flags responses where:
    • Same content under a lower-privilege context → access control bypass
    • Auth required under low-privilege but succeeded in original → privileged endpoint accessible to the wrong role

🔗Auth Context Definition

Each context has a name and a set of “auth markers”:

  • Header substitutions — e.g., Authorization: Bearer <admin-token>
  • Cookie substitutions — e.g., session_id=<admin-cookie>
  • Parameter substitutions — e.g., ?user_id=<my-id>?user_id=<victim-id>

Common contexts to define:

  • admin — all auth markers from your admin login
  • user_b — auth markers from a different user account
  • no_auth — empty (replay with no auth markers)
  • expired — known-expired token (sanity-check)

🔗Running a Scan

  1. Capture admin flows (browse the app authenticated as admin)
  2. Open Scanner view → Authorization Matrix tab
  3. Add the auth contexts above
  4. Multi-select the captured flows (or select all in-scope POSTs/PUTs/DELETEs as a starting point)
  5. Run Authz
  6. Hugin replays each flow with each context, computes a similarity matrix, and surfaces:
Flow #1234   GET /api/v1/users/42
  admin: 200 OK (baseline)
  user_b: 200 OK  ← BOLA: user_b sees user 42's data
  no_auth: 401   ← (expected)

🔗Result View

Each flow gets a row showing per-context status, body length, and a verdict:

  • Bypass — non-baseline context returned the same content (red highlight)
  • Different — context returned different content (likely correct behaviour)
  • Locked — context returned 401/403 (correct lockout)
  • Error — context returned 5xx (server-side issue, usually false positive)

Sort by verdict to surface bypasses first.

🔗Bulk-Promote to Findings

Multi-select rows where verdict is BypassPromote to Findings. Each becomes a finding with:

  • Severity High (configurable)
  • CWE-639 (BOLA) / CWE-862 (Missing Authorization) / CWE-863 (Incorrect Authorization)
  • Evidence flows attached (original + bypass replay)
  • Pre-filled title and description

Saves an enormous amount of triage time.

🔗Tips

  • Capture broadly first. Browse every admin feature, including read-only views — Hugin can only test what you’ve captured. Crawler + manual exploration combined gives best coverage.
  • Differentiate auth markers cleanly. If admin and user_b share any cookies, the scanner can’t fully isolate. Use separate browsers / private windows for each role.
  • Beware response variance. Some apps include timestamps or random IDs in responses, which can produce noisy diffs even when access control is correct.
  • Test no_auth too. Even if you only care about cross-user IDOR, the no_auth context catches missing-authentication entirely.

🔗Configuration

Pass auth contexts via the auth_contexts parameter as [{name, header, value}, ...]. Standard scanner concurrency / per-host delay / timeout knobs apply.

🔗MCP

The authz MCP tool exposes one action:

  • scan — run auth matrix with auth_contexts: [{name, header, value}, ...]

LLM agents commonly use this with orchestrate — capture admin flows, define user_b from a second account login, run authz, auto-promote bypasses.

The tool is stateless — the matrix is returned inline with the scan result, no separate findings / export actions.

🔗Persistent Matrix + Scored Findings

For a persistent authz matrix stored in authz_matrix_results (the shape the Authorize view consumes), use the session_profiles MCP tool: session_profiles scan populates the table, session_profiles matrix reads it back, session_profiles clear_matrix wipes it. Requires a Pro license.

For scored BAC findings — status divergence, cross-identity echo, bypass headers, path-param IDOR, cross-tenant, JWT escalation, mass assignment, OAuth scope escalation, rate-limit bypass, role escalation — use the full BAC pipeline. It’s the superset of this scanner with passive signals, an ID corpus, response shape hashing, and an active audit. Also Pro-gated.

🔗See Also

  • BAC Pipeline — Pro, the full broken-access-control surface that the authz scanner sits inside
  • Authorize View — Pro, the UI for session profiles + matrix + findings