Broken Access Control
PRACTICE ! PRACTICE ! PRACTICE !
Vertical Privilege Escalation
Check for /admin , /robots.txt for any disallows.
Check Page's Source and JS files for some hidden endpoints.
Login as a user [Enable Response Interception] and check for admin=true.
Check for any changes/updation [POST], and tamper any roleid's in the JSON Context.
Check for URL-Based access control [X-Original-URL: /admin] | [X-Rewrite-URL: /admin].
If anything redirects to anything, especially with a user name check ["/username?id=akash" to "id=administrator" or "/username?id=carlos"].
Horizontal Privilege Escalation
If an other username is known - tamper the URL by his name
If the application gives unpredictable user id then search for the other user id crawling through application/source code and find thier user id, tamper it { ?id= }
While tampering the user in our URL and if its redirects to login or any page - Mandatory to check the response body of that redirect URL
IDOR
Login as a normal user and explore various tabs, If we could download something try noticing the GET request and try to tamper it to get any passwords.
Have admin access? Try tampering the cookies
Can download or read a sequential order of messages, try to access the first number of that order.
Last updated