Broken Access Control
Users can act outside of their intended permissions, typically leading to unauthorized information disclosure, modification, or destruction of data. The most common ways in which it's presented are:
IDOR: Insecure Direct Object Reference, when an application fails to secure access to restringed data to a user
Weak authorization: Fail to protect sensitive content. For example, secure the admin page with a readable cookie
Security through obscurity: Try to hide secret information in paths that seem not to be visible
File Inclusion: Setting routes via URL to access system files or redirecting to other pages
We can find some typical example of this vulnerability as follows:
URL contains an enumeration of internal objects
#It is searching for an object with id=2
http://$url/id/2
#We can assume that existing id=1 or any number and try to get it
http://$url/id/$number #This could show objects normally hidden from the userThe standard robots.txt file could reveal sensitive routes
#Navitgate to the file
http://$url/robots.txt
#Example output
User-agent: *
Disallow: /administrator-panelEven if there are attempts of Security Through Obscurity, we could check the source code for hardcoded values
<script>
var isAdmin = false;
if (isAdmin) {
...
var adminPanelTag = document.createElement('a');
adminPanelTag.setAttribute('href', 'https://$url/admin-yb556');
adminPanelTag.innerText = 'Admin panel';
...
}
</script>It can also be parameter-based if controlling the privileges or roles through a parameter under the URL or the request
#On the URL
https://$url/login/?admin=true
#On the request parameters
GET /admin HTTP/2
Host: $host
Cookie: session=$request; Admin=true #Request Parameter
...Last updated