Post

Access Control Vulnerabilities

Posted Updated
By Shervoni
6 min read
Access Control Vulnerabilities

Understanding Access Control Vulnerabilities

Access control vulnerabilities occur when a web application fails to enforce proper restrictions on user actions or resources. This enables attackers to escalate privileges, access unauthorized data, or misuse sensitive functionality. These flaws are often critical and easy to exploit, making them a high-priority focus in security assessments.

Vertical Privilege Escalation

  • What is it?
    Users with lower privileges (e.g., regular users) gain access to higher-privileged functions meant for admins or other roles.
  • How to find it:
    Look for restricted admin URLs or functionalities. Test if accessing these directly bypasses role checks.
    • Example:
      Admin page /admin.
      Test this URL while logged in as a regular user. If accessible, privilege checks are missing.
    • Common clues:
      Admin URLs linked in hidden parts of the website, JavaScript files, or response bodies.

Horizontal Privilege Escalation

  • What is it?
    One user gains access to resources or data belonging to another user of the same privilege level.
  • How to find it:
    Test parameters that identify user-specific data, like id, user, account. Modify these values to simulate accessing another user’s data.
    • Example:
      Original request:
      GET /account?id=123.
      Modify to:
      GET /account?id=456.
      If this displays another user’s account, it indicates a horizontal privilege escalation vulnerability.
    • Tips:
      Check for references to other users’ identifiers in responses or page elements, like message threads or comments.

Unprotected Functionality

  • What is it?
    Sensitive functionalities (e.g., admin panels, debugging tools) are accessible without proper authentication or authorization checks.
  • How to find it:
    • Scan for sensitive endpoints like /admin, /config, or /debug.
    • Use the robots.txt file or wordlists to find hidden paths.
    • Example:
      Admin page /admin accessible directly by any logged-in or even unauthenticated user.

Parameter-Based Role Control

  • What is it?
    User roles or privileges are stored in modifiable parameters like cookies, hidden fields, or query strings.
  • How to find it:
    • Inspect request parameters for role identifiers like ?role=user or role=0. Modify these values to escalate privileges.
    • Example:
      URL:
      https://example.com/dashboard?role=user.
      Change to:
      https://example.com/dashboard?role=admin.
      If access changes, this indicates broken access control.

Insecure Direct Object References (IDOR)

  • What is it?
    User input directly references objects (files, accounts, or records), and the application does not validate ownership or permissions.
  • How to find it:
    • Test sequential or predictable values in request parameters like id, file, or account.
    • Example:
      Request:
      GET /file?id=10.
      Modify to:
      GET /file?id=11.
      If you access another file, it’s an IDOR vulnerability.
    • Pro tip: Look for object references in cookies, query strings, or POST body parameters.

Multi-Step Workflows

  • What is it?
    Functions are split across multiple steps (e.g., load form → submit → confirm), but some steps lack proper access control.
  • How to find it:
    Skip earlier steps and directly call final actions using parameters from intercepted requests.
    • Example:
      A user update process has three steps:
      • Step 1: Load user details (/update-user?id=123).
      • Step 2: Submit changes (/submit-changes).
      • Step 3: Confirm changes (/confirm-update).
        Test skipping steps 1 and 2 by directly accessing /confirm-update.

HTTP Method Abuse

  • What is it?
    Access control rules are applied to specific HTTP methods (e.g., POST), but other methods (e.g., GET, PUT) are overlooked.
  • How to find it:
    Test restricted actions with alternate methods.
    • Example:
      Original request:
      POST /deleteUser.
      Test using:
      GET /deleteUser.
      If the action succeeds, it’s a method-based access control issue.

Referer-Based Access Control

  • What is it?
    The application checks the Referer header to decide access permissions. Since this header can be easily spoofed, it’s insecure.
  • How to find it:
    Modify the Referer header in intercepted requests to simulate coming from a legitimate source.
    • Example:
      Change the Referer header to https://example.com/admin to access sub-pages like /admin/deleteUser.

Location-Based Controls

  • What is it?
    Access is restricted based on geographical location using IP-based rules, geolocation, or client-side mechanisms.
  • How to find it:
    • Use a VPN or proxy to test from different regions.
    • Manipulate geolocation data in client-side APIs or browser settings.

URL-Matching Discrepancies

  • What is it?
    Applications misinterpret URLs due to inconsistent handling of case sensitivity, trailing slashes, or suffix patterns.
  • How to find it:
    • Test variations of restricted URLs with changes like:
      • /ADMIN/deleteUser (case variation).
      • /admin/deleteUser/ (trailing slash).
      • /admin/deleteUser.anything (suffix pattern).
    • Example:
      A restricted /admin/deleteUser might also allow access via /ADMIN/DELETEUSER or /admin/deleteUser.anything.

Horizontal to Vertical Privilege Escalation

  • What is it?
    Exploit horizontal privilege escalation to target privileged users and gain admin-level access.
  • How to find it:
    • Target admin user accounts through IDOR or session hijacking.
    • Example: Use id=123 to access an admin page and steal credentials or reset passwords.

Notes from Videos on Access Control Vulnerabilities

Types of Access Control

  1. Role-Based Access Control (RBAC)
    Access is determined by predefined roles assigned to users.
    • Example: An admin role can access user management features, while a guest role cannot.
    • Context: Common in e-commerce, SaaS platforms, or internal corporate tools.
  2. Discretionary Access Control (DAC)
    Access is granted at the discretion of the resource owner.
    • Example: A file-sharing app where users can share documents with others by granting permissions.
    • Context: File-sharing platforms like Google Drive, Dropbox.
  3. Attribute-Based Access Control (ABAC)
    Access is granted based on attributes such as user age, location, or clearance level.
    • Example: Content on a streaming site restricted to viewers in specific countries.
    • Context: Media services, financial institutions with location-based restrictions.

IDOR (Insecure Direct Object Reference)

Broken Object-Level Authorization

  • What is it?
    Users can access or manipulate objects belonging to others by modifying identifiers in requests.
  • Example:
    A banking app allows users to view account details via:
    /account?id=123.
    An attacker changes the ID to access someone else’s account:
    /account?id=456.
  • Context:
    • Banking and financial systems.
    • Social media platforms exposing private user data.

Broken Function-Level Authorization

  • What is it?
    Regular users gain access to privileged functionality, such as admin-only pages or actions.
  • Example:
    A regular user accesses an admin-only URL:
    /admin/deleteUser without being an admin.
  • Context:
    • SaaS platforms with tiered user roles.
    • E-commerce sites with admin dashboards.

Missing Access Controls

  • What is it?
    Sensitive endpoints are exposed without any access control.
  • Example:
    Accessing /api/getAllUsers without being authenticated or authorized.
  • Context:
    • APIs in IoT or healthcare applications.
    • Debugging tools accidentally left exposed.

Cross-Tenant Access Control

  • What is it?
    A multi-tenant application fails to isolate data between tenants, allowing cross-access.
  • Example:
    Two accounts (A and B) belong to different tenants. Replacing account A’s session cookie with account B’s cookie lets user A view or edit user B’s data.
  • Context:
    • Multi-tenant SaaS applications.
    • CRMs and enterprise resource planning (ERP) tools.

Contexts and Use Cases

E-Commerce

  • Risk: Unprotected admin panels exposing order or user data.
  • Example: A malicious user accesses /admin/viewOrders to see all customer orders.

Social Media

  • Risk: IDOR exposing private messages or user profiles.
  • Example: /messages?user=123 lets one user view another’s private conversations.

Banking and Financial Services

  • Risk: IDOR allowing unauthorized fund transfers or balance views.
  • Example: /transfer?to=account456&amount=1000 permits fund transfers without proper validation.

Healthcare

  • Risk: Cross-tenant access exposing patient records.
  • Example: Changing a session ID allows one doctor to view patients of another clinic.

SaaS Platforms

  • Risk: Broken role-based controls granting unauthorized access to admin features.
  • Example: A standard user accesses /admin/reports to see sensitive business data.
Web Security
Access Control PortSwigger
This post is licensed under CC BY 4.0 by the author.