Access control vulnerabilities
Access control flaws occur when an application fails to properly restrict access to resources or functionalities based on the user's identity or role. These issues can lead to horizontal or vertical privilege escalation.
🔎 Common Testing Techniques
1. Accessing the Admin Panel
Try visiting
/admin,/admin/dashboard,/admin-panel, etc.If you’re logged in as a regular user and can access it, access control is broken.
Even if blocked, test bypass via headers:
Example:
2. Modifying HTTP Methods
Some endpoints may enforce access control only for certain HTTP verbs.
Try changing
GETtoPOST,PUT,DELETE, etc.
Example:
3. Privilege Escalation via Insecure Parameter Handling
If administrators can change user roles and the request isn't properly restricted:
Intercept requests like role upgrades
Modify parameters and replay the request as a normal user
4. Bypassing with Referer Header
Referer HeaderSome apps use Referer as a weak form of authorization.
Example:
⚠️ This header is fully user-controlled and should never be trusted for authorization.
5. Hidden Role-Based Parameters
When changing user attributes (name, email, password), intercept the request and look for hidden or backend-only fields.
Example:
Try modifying
roleid,isAdmin,group, etc.Append such parameters if not originally included in the request.
6. Information Disclosure via Source or JS Files
Review JavaScript files and source code for:
Hidden endpoints
Sensitive roles/flags
API keys or debug routes
7. Access Control via Cookies
Analyze how the session or role is enforced:
Cookies like
isAdmin=true,userType=1, etc.Tamper and test their effect
9. Fuzzing Parameters for Enumeration
Perform parameter fuzzing to discover:
Hidden user IDs
Privileged accounts
Misconfigured access logic
Last updated