Access control vulnerabilities

Types of access controls


Vertical access controls restrict e.g. a normal user from accessing administrative functionality (higher privilege level).


Horizontal access controls ensure, that one user cannot access data from another user (same privilege level).


Context-dependet access controls ensure a valid application state, e.g. by preventing a user from modifying his cart/order, after payment has been completed.


Vertical privilege escalation

Unprotected functionality

In case sensitive functionality is not protected, you can just access it, as long as you know where to find it.

Check out following places to find "hidden" functionality:

  • robots.txt

  • source code (e.g. JavaScript files)

  • guessing (e.g. /admin) or even brute-forcing using wordlists

Parameter-based access control methods

When an app uses user-controllable locations, such as hidden form fields, cookies, or query parameters, you can just modify them however you like to.

Cookie: isAdmin=true;

Platform misconfiguration

  • Some frameworks support non-standard HTTP headers to overwrite the URL in the original request, such as X-Original-URL or X-Rewrite-URL. This may be used to bypass access restrictions to specific URLs.

  • Some apps restrict access to HTTP methods. If they allow actions via different methods (like GET), you may be able to bypass restrictions here as well.

Horizontal privilege escalation

  • Changig user ids (IDOR, see below)

  • Information leakage (disclosing otherwise unguessable identifiers)

  • Multi-step processes (sometimes you can just submit the last step)

  • Referer-based access controls (Referer can be manipulated by an attacker)

Insecure direct object references (IDOR)

Last updated