Horizontal PrivEsc
Horizontal PrivEsc refers to accessing directly the sensitive information of the other user, instead of using thier own resources.
For Example - If an employee is said to have his own payroll records or his own docs, but still he tries to access other employee's details then its a horizontal privesc.
This type of Privesc is similar to the Vertical one where the user tries to access the contents of another user by tampering the URL
https://example.com/myaccount=123
We get his API key !
An API key is a unique identifier used to authenticate a user, developer, or calling program to an API.
User ID controlled by Request Parameter
In the given url, just tamper the username to carlos
and it will retrieve an API key which is the flag.
Request Parameter with Unpredictable user ID's
In some application, the exploitable parameter does not have a sequential value, an application might use GLOBALLY UNIQUE IDENTIFIERS
to identify users.
It is tough for an attacker to guess the user's id so our only option is to check through the application throughly so that we find it in user messages
or reviews
.
Crawl through the application and find another user's id and tamper it using our login's GET
Request Parameter with Data Leakage in Redirect
Some application detects when the user
is not permitted to access any sensitive
resource, and then it redirects to the Login
page.
It is mandatory to check the response
containing the redirect URL
, because it might still contain some sensitive information belonging to the targeted user, If this case comes true then the attack
is successful
.
Check the response body of the redirect URL for some API Leaks
Last updated