Update

README.md

@@ -14,7 +14,7 @@ Authz0 is an automated authorization test tool. Unauthorized access can be ident
 
 URLs and Roles are managed as YAML-based templates, which can be automatically created and added through authz0. You can also test based on multiple authentication headers and cookies with a template file created/generated once.
 
-![authz0](https://user-images.githubusercontent.com/13212227/149623002-5122d9dc-d1de-4453-9002-d5990e2a2965.jpg)
+![authz0-flow](https://user-images.githubusercontent.com/13212227/149649657-99da221e-f3fc-4db3-a802-47efee562cc8.jpg)
 
 ## Usage
 ```

cmd/scan.go

@@ -63,10 +63,10 @@ var scanCmd = &cobra.Command{
 						}
 					}
 				} else {
+					log.Info("assert & role reports")
 					report.PrintTableReport(results, resultFormat)
-					if resultFile != "" {
-						report.WriteYAMLReportToFile(results, resultFile)
-					}
+					log.Info("url indexes")
+					report.PrintTableURLs(results, resultFormat)
 				}
 			}
 		} else {

pkg/models/result.go

@@ -13,4 +13,5 @@ type Result struct {
 	RespSize        int
 	Alias           string
 	Result          string
+	Index           string
 }

pkg/report/report.go

@@ -32,13 +32,13 @@ func WriteYAMLReportToFile(data []models.Result, filename string) {
 
 func PrintTableReport(data []models.Result, t string) {
 	table := tablewriter.NewWriter(os.Stdout)
-	table.SetHeader([]string{"Alias", "Method", "URL", "Code", "Assert", "Role", "Allow-Role", "Deny-Role", "Allow", "Deny", "Result"})
+	table.SetHeader([]string{"", "Alias", "Assert", "Role", "Allow-Role", "Deny-Role", "Allow", "Deny", "Result"})
 	if t == "markdown" {
 		table.SetBorders(tablewriter.Border{Left: true, Top: false, Right: true, Bottom: false})
 		table.SetCenterSeparator("|")
 	}
 	table.SetHeaderColor(
-		nil, nil, nil, nil,
+		nil, nil,
 		tablewriter.Colors{tablewriter.BgCyanColor, tablewriter.FgWhiteColor},
 		nil,
 		tablewriter.Colors{tablewriter.BgCyanColor, tablewriter.FgWhiteColor},
@@ -59,10 +59,8 @@ func PrintTableReport(data []models.Result, t string) {
 			dr = "<NOT-DENIED>"
 		}
 		line := []string{
+			v.Index,
 			v.Alias,
-			v.Method,
-			v.URL,
-			strconv.Itoa(v.StatusCode),
 			strconv.FormatBool(v.Assert),
 			v.RoleName,
 			ar,
@@ -80,17 +78,46 @@ func PrintTableReport(data []models.Result, t string) {
 				tablewriter.Colors{},
 				tablewriter.Colors{},
 				tablewriter.Colors{},
+				tablewriter.Colors{},
+				tablewriter.Colors{},
+				tablewriter.Colors{tablewriter.FgHiRedColor, tablewriter.Bold, tablewriter.BgBlackColor},
+			})
+		} else {
+			table.Append(line)
+		}
+
+	}
+	table.Render()
+}
+
+func PrintTableURLs(data []models.Result, t string) {
+	table := tablewriter.NewWriter(os.Stdout)
+	table.SetHeader([]string{"", "Method", "URL", "CODE"})
+	if t == "markdown" {
+		table.SetBorders(tablewriter.Border{Left: true, Top: false, Right: true, Bottom: false})
+		table.SetCenterSeparator("|")
+	}
+
+	issue := 0
+	for _, v := range data {
+		line := []string{
+			v.Index,
+			v.Method,
+			v.URL,
+			strconv.Itoa(v.StatusCode),
+		}
+		if v.Result == "X" {
+			issue = issue + 1
+			table.Rich(line, []tablewriter.Colors{
 				tablewriter.Colors{},
 				tablewriter.Colors{},
 				tablewriter.Colors{},
 				tablewriter.Colors{},
-				tablewriter.Colors{tablewriter.FgHiRedColor, tablewriter.Bold, tablewriter.BgBlackColor},
 			})
 		} else {
 			table.Append(line)
 		}
 
 	}
-	table.SetCaption(true, "Found "+strconv.Itoa(issue)+" Issue")
 	table.Render()
 }

pkg/scan/scan.go

@@ -104,6 +104,7 @@ func Run(filename string, arguments ScanArguments, debug bool) []models.Result {
 					RespSize:        cl,
 					Alias:           reqURL.Alias,
 					Result:          rlt,
+					Index:           "#" + strconv.Itoa(query.Index),
 				}
 				results = append(results, result)
 				iLog := log.WithField("index", "#"+strconv.Itoa(query.Index))

samples/sample.yaml

@@ -15,7 +15,7 @@ urls:
   - SuperAdmin
   - User
   denyRole: []
-  alias: "Main page"
+  alias: "main"
 - url: https://www.hahwul.com/about/
   method: GET
   contentType: ""
@@ -25,39 +25,92 @@ urls:
   - Admin1
   - SuperAdmin
   denyRole: []
-  alias: "About page"
-- url: https://www.hahwul.com/44444
+  alias: "about"
+- url: https://www.hahwul.com/phoenix/main
   method: GET
   contentType: ""
   body: ""
   allowRole: []
   denyRole:
   - User
-  alias: "Test1"
-- url: https://www.hahwul.com/44
+  alias: "phoenix"
+- url: https://www.hahwul.com/phoenix/csrf/
   method: GET
   contentType: ""
   body: ""
   allowRole: []
   denyRole:
   - User
-  alias: "Test2"
-- url: https://www.hahwul.com/4676664
+  alias: "phoenix > csrf generator"
+- url: https://www.hahwul.com/phoenix/wysiwyg-xss/
   method: GET
   contentType: ""
   body: ""
   allowRole: []
   denyRole:
   - User
-  alias: "Test3"
+  alias: "phoenix > wysiwyg-xss"
 - url: https://www.hahwul.com/archive/
   method: GET
   contentType: ""
   body: ""
   allowRole: []
   denyRole:
   - User
-  alias: "Test4"
+  alias: "archive"
+- url: https://www.hahwul.com/cullinan/main/
+  method: GET
+  contentType: ""
+  body: ""
+  allowRole: []
+  denyRole:
+  alias: "cullinan"
+- url: https://www.hahwul.com/cullinan/xss/
+  method: GET
+  contentType: ""
+  body: ""
+  allowRole: []
+  denyRole:
+  alias: "cullinan > xss"
+- url: https://www.hahwul.com/cullinan/csrf/
+  method: GET
+  contentType: ""
+  body: ""
+  allowRole: []
+  denyRole:
+  alias: "cullinan > csrf"
+- url: https://www.hahwul.com/cullinan/
+  method: GET
+  contentType: ""
+  body: ""
+  allowRole: []
+  denyRole:
+  alias: "cullinan"
+- url: https://www.hahwul.com/cullinan/ffff/
+  method: POST
+  contentType: "json"
+  body: "{\"ccc\":\"aaa\"}"
+  allowRole: [SuperAdmin]
+  denyRole:
+  alias: "cullinan > test func"
+- url: https://www.hahwul.com/cullinan/zzzz/
+  method: PUT
+  contentType: ""
+  body: "asdf=1234"
+  allowRole: 
+  - Admin
+  - SuperAdmin
+  denyRole:
+  - User
+  alias: "cullinan > test func2"
+- url: https://www.hahwul.com/
+  method: GET
+  contentType: ""
+  body: ""
+  allowRole: [SuperAdmin]
+  denyRole:
+  - User
+  alias: "super power func"
 asserts:
 - type: success-status
   value: "200,201,202,204"