Auth Mutator 2026.3 - Strict Role Controls in Main Panel, Reliable Logging, and Role/Rule Testing Matrix

What's Changed

This release improves testing control, reliability, and documentation clarity.

• Added Strict role-scoped rules toggle to main Quick Controls for faster workflow control directly in the Request Log tab.

• Hardened request/response correlation in the handler so requests are logged more reliably on first send.

• Expanded README with detailed role/rule behavior matrix for strict off vs strict on modes.

• Added a practical member -> manager -> admin testing matrix and step-by-step usage playbook.

• Clarified troubleshooting guidance for strict context matching and visibility behavior.

• Maintains Java 17 compatibility and current extension defaults.

• Bump net.portswigger.burp.extensions:montoya-api from 2025.10 to 2025.12 by @dependabot[bot] in #5

Full Changelog: v1.2...v2026.3

v1.2 - Initial Release

I'm excited to introduce Auth Mutator, a Burp Suite extension designed to streamline advanced authentication testing and IDOR discovery. Auth Mutator allows you to define complex modification rules, impersonate multiple user roles, and efficiently spot interesting behaviors—all while keeping your original traffic intact.

🌟 Key Features

🎭 Multi-Role Testing

• User Profiles: Define and manage multiple identities (e.g., "Admin", "User A") with their specific authentication tokens (Headers/Cookies).
• Dynamic Impersonation: Easily swap the identity of any request by applying a User Role.
• Granular Control: Edit, toggle, and manage roles directly from the unified dashboard.

⚡ Powerful Replacement Rules

• Flexible Mutations: Modify headers, body parameters, and URL parameters with precision.
• Regex Support: Use regular expressions for complex matching and replacement.
• Role Binding: Link rules to specific User Roles to simulate targeted attacks (e.g., forcing a request to run as "User B" while accessing "User A's" resource).

🔍 Advanced Logging & Analysis

• Three-Way View: Inspect the Original request, the Modified result, and an optional Unauthenticated probe side-by-side.
• Smart Diff: built-in diff viewer highlights exactly what changed in the request and response.
• Highlight Rules: Define logic (e.g., status codes, body content) to automatically colour-code interesting responses in the log.

🛡 safe & Efficient Workflow

• Quick Controls: Toggle proxy interception, scope restrictions, and preview modes instantly.
• Safe Mode: Preview changes and calculate diffs without sending modified traffic to the target (Preview in Proxy).
• State Persistence: Automatically saves your configuration, rules, and roles to disk (~/.AuthMutator.json). Integrated Import/Export allows for easy sharing of configurations.

📦 Installation

1. Download the Auth Mutator.jar from the assets below.
2. Open Burp Suite -> Extensions -> Installed.
3. Click Add, select Java as the extension type, and load the JAR file.

Happy Hunting!