Full Report
This is a tool that I have wanted to build for at least 5 years. Checking my archives, the earliest reference I can find is almost exactly 5 years ago, and I’ve been thinking about it for longer, I’m sure. Finally it has made it out of my head, and into the real world! Be free! Be free! So, what does it do, and how does it do it? The core idea for this tool comes from the realisation that, when reviewing how web applications work, it would help immensely to be able to know which user was actually making specific requests, rather than trying to just keep track of that information in your head (or not at all). Once you have an identity associated with a request, that enables more powerful analysis of the requests which have been made.
Analysis Summary
# Tool/Technique: Burp Extension (Identity Association Tool)
## Overview
This is a Burp Suite extension developed by SensePost, designed to associate specific HTTP requests with the identity (user) making those requests. The core purpose is to enable more powerful analysis of web application traffic, particularly for access control testing, by tracking requests made by distinct authenticated users, even across multiple login/logout cycles or session ID changes.
## Technical Details
- Type: Tool (Burp Suite Extension)
- Platform: Host platform running Burp Suite (typically Windows, macOS, Linux)
- Capabilities: Associates session IDs with authenticated users via configurable rules for login and logout detection. Supports pivoting request data based on user identity.
- First Seen: Article published June 5, 2014.
## MITRE ATT&CK Mapping
*Note: This tool is primarily used for security assessments and analysis during testing (Red Team/Blue Team activities) rather than direct TTP execution by threat actors. The closest mapping relates to how analysts might use output to infer actor activity or how an actor might manipulate session data.*
- **TA0008 - Credential Access** (If used to test broken access control resulting in unauthorized data/actions)
- T1078 - Valid Accounts
- **TA0010 - Exfiltration** (If used to systematically test data access limits)
- T1041 - Exfiltration Over C2 Channel (Relevant only if the extension output facilitates discovery of exfiltration paths)
- **TA0005 - Defense Evasion** (If utilized during an assessment to evade simple monitoring by tracking complex session states)
- T1140 - Deobfuscate/Decode Files or Information (Relates to the analytic output)
## Functionality
### Core Capabilities
- **Identity Association:** Links session identifiers (e.g., cookies) to a specific username based on observed login events.
- **Rule-Based Tracking:** Allows the user to define custom rules (based on HTTP method, URL path, response status, and response content like "login failed") to reliably detect user authentication (login) and de-authentication (logout).
- **Session Persistence:** Maintains the association between the identity and the session ID until a logout rule is triggered.
- **Access Control Analysis:** Enables comparison of requests made by different users side-by-side.
### Advanced Features
- **Pivot Table Generation:** Creates customizable pivot tables using request parameters versus the associated user identity, allowing analysts to quickly grasp which user performed which action with what specific parameters.
- **Conversation Linking:** Clicking a cell in the pivot table provides a list of all underlying HTTP conversations for that unique parameter combination, regardless of login/logout state.
- **Status Tagging (Planned/Future):** The ability to define rules for successful vs. failed requests, intending to color-code pivot table cells based on the success status of the underlying conversations (useful for identifying authorization failures).
## Indicators of Compromise
- File Hashes: Not applicable; this is a user-installed extension.
- File Names: BurpId.zip (Distribution archive name).
- Registry Keys: Not applicable.
- Network Indicators: Not applicable; this is a client-side analysis tool.
- Behavioral Indicators: None directly malicious; behavior is centered around parsing and tagging proxy traffic based on user-defined criteria for web application login/logout events.
## Associated Threat Actors
- Not associated with known threat actors. This is an offensive security testing tool/Burp Suite extension likely used by penetration testers, security researchers, or internal security teams.
## Detection Methods
- Signature-based detection: Detection would focus on the presence of the `BurpId` extension files within a user's Burp Suite configuration directory.
- Behavioral detection: Detecting unusual activity within Burp Suite history focusing on rapid creation and iteration of complex proxy request rules targeted specifically at identifying authentication sequences.
- YARA rules: Not applicable.
## Mitigation Strategies
- As this is an analysis tool, mitigation is largely focused on securing the application being tested:
- **Strong Session Management:** Implement robust, time-limited, and invalidated session tokens to hinder automated testing based on session IDs.
- **Input Validation:** Ensure all forms and parameters analyzed via this method are protected against injection attacks.
- **Access Control Enforcement:** Correctly configure and enforce least privilege to ensure that if requests from different users are compared, unauthorized actions fail correctly.
- **Tool Control:** For highly regulated environments, monitor and restrict the installation of non-approved Burp Suite extensions.
## Related Tools/Techniques
- Burp Suite Repeater/Intruder (Standard Burp functionality that this extension seeks to augment).
- Other Burp extensions designed for session management and user tracking.
- General web proxy analysis.