Horizontal PrivEsc

Horizontal PrivEsc refers to accessing directly the sensitive information of the other user, instead of using thier own resources.

For Example - If an employee is said to have his own payroll records or his own docs, but still he tries to access other employee's details then its a horizontal privesc.

This type of Privesc is similar to the Vertical one where the user tries to access the contents of another user by tampering the URL

https://example.com/myaccount=123

We get his API key !

An API key is a unique identifier used to authenticate a user, developer, or calling program to an API.

User ID controlled by Request Parameter

In the given url, just tamper the username to carlos and it will retrieve an API key which is the flag.

Request Parameter with Unpredictable user ID's

In some application, the exploitable parameter does not have a sequential value, an application might use GLOBALLY UNIQUE IDENTIFIERS to identify users.

It is tough for an attacker to guess the user's id so our only option is to check through the application throughly so that we find it in user messages or reviews.

Crawl through the application and find another user's id and tamper it using our login's GET

Request Parameter with Data Leakage in Redirect

Some application detects when the user is not permitted to access any sensitive resource, and then it redirects to the Login page.

It is mandatory to check the response containing the redirect URL, because it might still contain some sensitive information belonging to the targeted user, If this case comes true then the attack is successful.

Check the response body of the redirect URL for some API Leaks

PreviousVertical PrivEsc NextHorizontal => Vertical

Last updated 1 year ago