# Access control vulnerabilities * [PortSwigger - Web Security Academy - Access control vulnerabilities and privilege escalation](https://portswigger.net/web-security/access-control) ## Types of access controls ### Vertical Vertical access controls restrict e.g. a normal user from accessing administrative functionality (higher privilege level). ### Horizontal Horizontal access controls ensure, that one user cannot access data from another user (same privilege level). ### Context-dependent Context-dependet access controls ensure a valid application state, e.g. by preventing a user from modifying his cart/order, after payment has been completed. ## Vulnerabilities ### Vertical privilege escalation #### Unprotected functionality In case sensitive functionality is not protected, you can just access it, as long as you know where to find it. Check out following places to find "hidden" functionality: * robots.txt * source code (e.g. JavaScript files) * guessing (e.g. `/admin`) or even brute-forcing using wordlists #### Parameter-based access control methods When an app uses user-controllable locations, such as hidden form fields, cookies, or query parameters, you can just modify them however you like to. E.g. ```url https://website.com/login.php?admin=true ``` ```http Cookie: isAdmin=true; ``` #### Platform misconfiguration * Some frameworks support non-standard HTTP headers to overwrite the URL in the original request, such as `X-Original-URL` or `X-Rewrite-URL`.\ This may be used to bypass access restrictions to specific URLs. * Some apps restrict access to HTTP methods. If they allow actions via different methods (like GET), you may be able to bypass restrictions here as well. ### Horizontal privilege escalation * Changig user ids (IDOR, see below) * Information leakage (disclosing otherwise unguessable identifiers) * Multi-step processes (sometimes you can just submit the last step) * Referer-based access controls (Referer can be manipulated by an attacker) ### Insecure direct object references (IDOR) * [PortSwigger - Web Security Academy - Insecure direct object references (IDOR)](https://portswigger.net/web-security/access-control/idor) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://d4rk1337.gitbook.io/the-pentesters-cheat-sheet/exploitation/web/access-control.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.