Access control vulnerabilities

Access control flaws occur when an application fails to properly restrict access to resources or functionalities based on the user's identity or role. These issues can lead to horizontal or vertical privilege escalation.

🔎 Common Testing Techniques

1. Accessing the Admin Panel

Try visiting /admin, /admin/dashboard, /admin-panel, etc.
If you’re logged in as a regular user and can access it, access control is broken.
Even if blocked, test bypass via headers:

X-Original-URL: /admin

Example:

POST /?userid=1 HTTP/1.1
Host: target.com
X-Original-URL: /admin/deleteUser

2. Modifying HTTP Methods

Some endpoints may enforce access control only for certain HTTP verbs.

Try changing GET to POST, PUT, DELETE, etc.

Example:

DELETE /admin-roles HTTP/2
username=username&action=upgrade

3. Privilege Escalation via Insecure Parameter Handling

If administrators can change user roles and the request isn't properly restricted:

Intercept requests like role upgrades
Modify parameters and replay the request as a normal user

4. Bypassing with `Referer` Header

Some apps use Referer as a weak form of authorization.

Example:

GET /admin-roles?username=wiener&action=upgrade HTTP/1.1
Host: target.web-security-academy.net
Referer: https://target.web-security-academy.net/admin

⚠️ This header is fully user-controlled and should never be trusted for authorization.

5. Hidden Role-Based Parameters

When changing user attributes (name, email, password), intercept the request and look for hidden or backend-only fields.

Example:

jsonCopyEdit{
  "username": "wiener",
  "email": "test@example.com",
  "roleid": 1
}

Try modifying roleid, isAdmin, group, etc.
Append such parameters if not originally included in the request.

6. Information Disclosure via Source or JS Files

Review JavaScript files and source code for:
- Hidden endpoints
- Sensitive roles/flags
- API keys or debug routes

7. Access Control via Cookies

Analyze how the session or role is enforced:

Cookies like isAdmin=true, userType=1, etc.
Tamper and test their effect

9. Fuzzing Parameters for Enumeration

Perform parameter fuzzing to discover:

Hidden user IDs
Privileged accounts
Misconfigured access logic

PreviousBusiness Vulnerabilities NextServer-Side Request Forgery (SSRF)

Last updated 2 months ago

Access control vulnerabilities

🔎 Common Testing Techniques

1. Accessing the Admin Panel

Try visiting /admin, /admin/dashboard, /admin-panel, etc.
If you’re logged in as a regular user and can access it, access control is broken.
Even if blocked, test bypass via headers:

X-Original-URL: /admin

Example:

POST /?userid=1 HTTP/1.1
Host: target.com
X-Original-URL: /admin/deleteUser

2. Modifying HTTP Methods

Some endpoints may enforce access control only for certain HTTP verbs.

Try changing GET to POST, PUT, DELETE, etc.

Example:

DELETE /admin-roles HTTP/2
username=username&action=upgrade

3. Privilege Escalation via Insecure Parameter Handling

If administrators can change user roles and the request isn't properly restricted:

Intercept requests like role upgrades
Modify parameters and replay the request as a normal user

4. Bypassing with `Referer` Header

Some apps use Referer as a weak form of authorization.

Example:

GET /admin-roles?username=wiener&action=upgrade HTTP/1.1
Host: target.web-security-academy.net
Referer: https://target.web-security-academy.net/admin

⚠️ This header is fully user-controlled and should never be trusted for authorization.

5. Hidden Role-Based Parameters

When changing user attributes (name, email, password), intercept the request and look for hidden or backend-only fields.

Example:

jsonCopyEdit{
  "username": "wiener",
  "email": "test@example.com",
  "roleid": 1
}

Try modifying roleid, isAdmin, group, etc.
Append such parameters if not originally included in the request.

6. Information Disclosure via Source or JS Files

Review JavaScript files and source code for:
- Hidden endpoints
- Sensitive roles/flags
- API keys or debug routes

7. Access Control via Cookies

Analyze how the session or role is enforced:

Cookies like isAdmin=true, userType=1, etc.
Tamper and test their effect

9. Fuzzing Parameters for Enumeration

Perform parameter fuzzing to discover:

Hidden user IDs
Privileged accounts
Misconfigured access logic

PreviousBusiness Vulnerabilities NextServer-Side Request Forgery (SSRF)

Last updated 2 months ago

🔎 Common Testing Techniques

1. Accessing the Admin Panel

2. Modifying HTTP Methods

3. Privilege Escalation via Insecure Parameter Handling

4. Bypassing with Referer Header

5. Hidden Role-Based Parameters

6. Information Disclosure via Source or JS Files

7. Access Control via Cookies

9. Fuzzing Parameters for Enumeration

🔎 Common Testing Techniques

1. Accessing the Admin Panel

2. Modifying HTTP Methods

3. Privilege Escalation via Insecure Parameter Handling

4. Bypassing with Referer Header

5. Hidden Role-Based Parameters

6. Information Disclosure via Source or JS Files

7. Access Control via Cookies

9. Fuzzing Parameters for Enumeration

4. Bypassing with `Referer` Header

4. Bypassing with `Referer` Header