Intrusionz3r0-WriteupsHacktheboxGithubLinkedln
ChatGPTChatGPT

Access control vulnerabilities

Access control flaws occur when an application fails to properly restrict access to resources or functionalities based on the user's identity or role. These issues can lead to horizontal or vertical privilege escalation.

🔎 Common Testing Techniques

1. Accessing the Admin Panel

  • Try visiting /admin, /admin/dashboard, /admin-panel, etc.

  • If you’re logged in as a regular user and can access it, access control is broken.

  • Even if blocked, test bypass via headers:

X-Original-URL: /admin

Example:

POST /?userid=1 HTTP/1.1
Host: target.com
X-Original-URL: /admin/deleteUser

2. Modifying HTTP Methods

Some endpoints may enforce access control only for certain HTTP verbs.

  • Try changing GET to POST, PUT, DELETE, etc.

Example:

DELETE /admin-roles HTTP/2
username=username&action=upgrade

3. Privilege Escalation via Insecure Parameter Handling

If administrators can change user roles and the request isn't properly restricted:

  • Intercept requests like role upgrades

  • Modify parameters and replay the request as a normal user

4. Bypassing with Referer Header

Some apps use Referer as a weak form of authorization.

Example:

GET /admin-roles?username=wiener&action=upgrade HTTP/1.1
Host: target.web-security-academy.net
Referer: https://target.web-security-academy.net/admin

⚠️ This header is fully user-controlled and should never be trusted for authorization.

5. Hidden Role-Based Parameters

When changing user attributes (name, email, password), intercept the request and look for hidden or backend-only fields.

Example:

jsonCopyEdit{
  "username": "wiener",
  "email": "test@example.com",
  "roleid": 1
}

  • Try modifying roleid, isAdmin, group, etc.

  • Append such parameters if not originally included in the request.

6. Information Disclosure via Source or JS Files

  • Review JavaScript files and source code for:

    • Hidden endpoints

    • Sensitive roles/flags

    • API keys or debug routes

7. Access Control via Cookies

Analyze how the session or role is enforced:

  • Cookies like isAdmin=true, userType=1, etc.

  • Tamper and test their effect

9. Fuzzing Parameters for Enumeration

Perform parameter fuzzing to discover:

  • Hidden user IDs

  • Privileged accounts

  • Misconfigured access logic

PreviousBusiness VulnerabilitiesNextServer-Side Request Forgery (SSRF)

Last updated