Access Control

Unprotected admin functionality

Find admin panels using the techniques in the Fingerprinting section.

Parameter-based access control methods

Some applications determine the user's access rights or role at login, and then store this information in a user-controllable location. This could be:

• A hidden field.

• A cookie.

• A preset query string parameter.

The application makes access control decisions based on the submitted value. For example:

https://insecure-website.com/login/home.jsp?admin=true

https://insecure-website.com/login/home.jsp?role=1

Manipulate them to exploit this vuln.

Broken access control resulting from platform misconfiguration

- URL-based access control circumvented

A website that has an unauthenticated admin panel but a front-end system has been configured to block external access to that path, can be bypassed if the back-end application is built on a framework that supports the X-Original-URL header.

Use / instead of /admin and add X-Original-URL: /invalid, if it return a "not found" response, the back-end system is processing the URL, and we could add X-Original-URL: /admin

- Method-based access control circumvented

If the web implements access controls based partly on the HTTP method of requests, we could try changing the method from POST to POSTX and observe that the response changes to "missing parameter".

Then convert the request to use the GET method by right-clicking and selecting "Change request method" in Burp.

Insecure direct object references (IDOR)

IDORs occur if an application uses user-supplied input to access objects directly and an attacker can modify the input to obtain unauthorized access.

Review the URL when performing actions in the web and observe that, for example, when saving things, text files are assigned with filename containing an incrementing number, we could then manipulate those numbers.