Authorize (BAC)

Pro feature — the Authorize view is hidden from the sidebar on Community tier. Trial, Pro, and Dev-bypass builds see it under the Testing group with the shield-check icon.

The Authorize view is the UI surface for the BAC pipeline — session profile management, the authorization matrix, scored BAC findings, passive intelligence (signals + ID corpus + response shapes), and identity-diff. It’s where researchers run the broken-access-control workflow end-to-end without dropping to MCP or the CLI.

🔗Layout

ListDetailLayout:

┌─ Session Profiles ──┬──────────────── Detail Pane ──────────────────┐
│  [ + New profile ]  │  Control row: Scan · Abort · Clear · Export  │
│                     │  Advanced toggles: per-check enable + budget │
│  · Baseline (admin) │─────────────────────────────────────────────│
│  · user_b           │  Sub-tabs: Results | Original | Replayed |   │
│  · Unauthenticated  │           Diff | Findings | Intelligence     │
│  · …                │                                               │
│                     │  [ content of the selected sub-tab ]         │
└─────────────────────┴───────────────────────────────────────────────┘

Left list is the profile sidebar (CRUD + activation). Right pane hosts the scan controls on top, six sub-tabs below.

🔗Session Profiles

A session profile is an identity container — a named bundle of auth headers (cookies, tokens, API keys) that the BAC matrix replays as. Every audit needs at least two: a baseline (usually admin / high-priv) and one or more comparison identities.

🔗Profile Actions

  • New profile — name + description + “Is baseline?” toggle. Exactly one baseline per project.
  • Capture from flow — pick a flow from HTTP History; its Auth/Cookie/X-API-Key/etc. headers get stashed under the profile.
  • Add header — manual entry for headers you don’t have a flow for.
  • Remove header — delete a single header or clear all.
  • Set baseline — star a profile to promote it to baseline (demotes the current baseline).
  • Delete — profile + captured headers. Destructive.

🔗Auto-Seeded “Unauthenticated”

If you start an audit with only a baseline profile, the view auto-creates an Unauthenticated profile (zero auth headers) so the matrix always has a comparison identity. It shows up in the list after the audit starts.

🔗Login Macros

Profiles can be attached to a Session Macro: when the audit runs, the macro executes first and its final_variables substitute into the profile’s header values via {{var_name}} placeholders. Lets you refresh stale tokens at audit start without re-capturing flows.

Attach via the Login macro dropdown in the scan controls; available macros come from hugin_mcp::tools::macros::load_macros.

🔗Scan Controls

Top of the detail pane, above the tabs:

ControlWhat it does
ScanStarts the audit. Registers an audit_id, kicks the Autorize matrix + the BAC active engine in parallel, surfaces the audit_id as a toast so you can query progress externally.
AbortFlips the cancel flag on the current audit. Engine exits at the next inter-flow boundary. Button label switches to “Aborting…” while the engine is draining.
ClearClears the matrix results for the selected profile. Leaves findings + signals + corpus intact.
ExportRenders all findings in the selected format (Markdown / SARIF / HTML / CSV / JSON summary / JSON raw).

🔗Advanced Toggles (expandable)

Every BAC active check has its own enable/disable toggle so you can narrow a run to specific techniques:

  • opt_path_param — path-parameter IDOR
  • opt_param_mutation — query/body param IDOR
  • opt_cross_tenant — tenant/org field rotation
  • opt_bypass_headers — 60 bypass-header candidates
  • opt_jwt_escalation — JWT alg=none + claim mutation
  • opt_graphql_introspect — GraphQL introspection probes
  • opt_cross_identity_echo — same-body-different-identity detector
  • opt_rate_limit_bypass — session-keyed rate-limit probe
  • opt_role_enum — role-field enumeration
  • opt_oauth_scope — OAuth scope-escalation
  • opt_mass_assignment — privileged-field injection

Plus knobs:

  • opt_request_budget (default 5000) — hard cap on outbound probes
  • opt_delay_ms (default 100) — per-probe delay
  • opt_max_flows (default 200) — flows pulled from the store per audit

🔗Sub-Tabs

Six tabs inside the matrix pane. They share the same result scope (the selected matrix row, when one is selected).

🔗Results

The authorization matrix — every replayed flow × every profile, with per-cell status + similarity + length-delta + verdict chip.

Context menu on any row (right-click):

  • Send to Repeater (opens replay flow in Repeater for manual refinement)
  • Send to Intruder (fuzzes the replay flow)
  • Send to Comparer (diffs replay vs baseline)
  • Open in Scanner (runs the full scanner against the replay)
  • Open in Sitemap (browses the host’s other endpoints)
  • Copy Flow ID

All five send-to targets route through the canonical send_flow_to_view helper so the handoff matches every other view in the app.

🔗Original / Replayed / Diff

Three response panes. Original shows the captured baseline response body; Replayed shows the attacker-replay; Diff renders a side-by-side identity-diff with role-field highlighting. Click a row in Results to load all three.

🔗Findings

Scored BAC findings for the current project. Filter chips on top (kind + severity), and per-row actions on every finding:

  • Copy as Markdown — bug-bounty-ready writeup
  • Copy as JSON — pretty-printed envelope
  • Copy as CSV — single row with header, paste-ready
  • Repeater — send the attacker-replay flow to Repeater
  • Intruder — send to Intruder
  • Comparer — send both baseline + replay as a pair for diff
  • Sitemap — open the replay in Sitemap to browse the host

Severity chip row lets you filter by level; the Hide tentative toggle (default on) drops cross-identity-echo auto-demotions on IdentityDrift endpoints — turn off when chasing a specific lead.

🔗Intelligence

Three tabs on the raw passive output:

  • Signals — 7 kinds with filter + evidence snippet inline
  • Corpus — every classified ID, grouped by endpoint + identity, filterable by kind (numeric / UUID v4 / UUID v1 / UUID other / slug / hex / opaque token)
  • Shapes — endpoints whose response shape hash matches across identities (strongest horizontal IDOR tell)

🔗Cross-View Handoffs

The view consumes two cross-view signals on mount:

  • pending_bac_replay — from Logger’s “Replay as identity” context menu. Auto-selects the identity and surfaces a toast.
  • pending_bac_host_filter — from Sitemap’s “Open in Authorize (BAC)” context menu. Pre-fills the host filter so matrix + findings + corpus all scope to the sitemap-selected host.

Both signals clear after consumption so re-visiting the view doesn’t re-trigger.

🔗MCP Automation

Every interactive control is registered as a ComponentInfo so ui_automate list_components Authorize reports it. Forty-seven components cover every dialog field, toggle, button, filter input, and reactive state. An MCP agent can drive the full BAC workflow from tool calls without screen-scraping.

🔗See Also

  • BAC Pipeline — the underlying engine: signals, corpus, checks, findings
  • Authorization Scanner — the stateless matrix scanner behind the Results tab
  • MCP Toolsbac_audit, session_profiles, live_audit reference