Access control vulnerabilities
Types of access controls
Vertical
Vertical access controls restrict e.g. a normal user from accessing administrative functionality (higher privilege level).
Horizontal
Horizontal access controls ensure, that one user cannot access data from another user (same privilege level).
Context-dependent
Context-dependet access controls ensure a valid application state, e.g. by preventing a user from modifying his cart/order, after payment has been completed.
Vulnerabilities
Vertical privilege escalation
Unprotected functionality
In case sensitive functionality is not protected, you can just access it, as long as you know where to find it.
Check out following places to find "hidden" functionality:
robots.txt
source code (e.g. JavaScript files)
guessing (e.g.
/admin) or even brute-forcing using wordlists
Parameter-based access control methods
When an app uses user-controllable locations, such as hidden form fields, cookies, or query parameters, you can just modify them however you like to.
E.g.
Platform misconfiguration
Some frameworks support non-standard HTTP headers to overwrite the URL in the original request, such as
X-Original-URLorX-Rewrite-URL. This may be used to bypass access restrictions to specific URLs.Some apps restrict access to HTTP methods. If they allow actions via different methods (like GET), you may be able to bypass restrictions here as well.
Horizontal privilege escalation
Changig user ids (IDOR, see below)
Information leakage (disclosing otherwise unguessable identifiers)
Multi-step processes (sometimes you can just submit the last step)
Referer-based access controls (Referer can be manipulated by an attacker)
Insecure direct object references (IDOR)
Last updated