Broken Access Control

PRACTICE ! PRACTICE ! PRACTICE !

Vertical Privilege Escalation

  • Check for /admin , /robots.txt for any disallows.

  • Check Page's Source and JS files for some hidden endpoints.

  • Login as a user [Enable Response Interception] and check for admin=true.

  • Check for any changes/updation [POST], and tamper any roleid's in the JSON Context.

  • Check for URL-Based access control [X-Original-URL: /admin] | [X-Rewrite-URL: /admin].

  • If anything redirects to anything, especially with a user name check ["/username?id=akash" to "id=administrator" or "/username?id=carlos"].

Horizontal Privilege Escalation

  • If an other username is known - tamper the URL by his name

  • If the application gives unpredictable user id then search for the other user id crawling through application/source code and find thier user id, tamper it { ?id= }

  • While tampering the user in our URL and if its redirects to login or any page - Mandatory to check the response body of that redirect URL

IDOR

  • Login as a normal user and explore various tabs, If we could download something try noticing the GET request and try to tamper it to get any passwords.

  • Have admin access? Try tampering the cookies

  • Can download or read a sequential order of messages, try to access the first number of that order.

PreviousBuffer OverflowNextLocal File Inclusion

Last updated