Access Control Cheatsheet

Access Control Vulnerabilities Summary and Testing Guide

What Are Access Control Vulnerabilities?

Access control vulnerabilities occur when an application does not properly restrict users’ access to actions or data. This allows unauthorized users to:

• Perform admin-only functions (vertical privilege escalation).
• Access other users’ data or resources (horizontal privilege escalation).
• Exploit multi-step processes or bypass weak restrictions.

---

** General Reconnaissance**

1. Understand the Application’s Access Model:
   • Are there roles (e.g., admin, user)?
   • Is user data isolated (horizontal controls)?
   • Are there hidden admin-only actions?
2. Map the Application:
   • Identify endpoints, parameters, and cookies that control access.
   • Check for predictable identifiers like ?id=123.
3. Investigate HTTP Responses:
   • Look for differences in 200, 403, or 302 statuses to infer access control weaknesses.

---

** Horizontal Privilege Escalation Testing**

1. Test query parameters:
   • Modify resource IDs (e.g., ?id=123 → ?id=456) to access another user’s data.
2. Exploit IDOR:
   • For predictable identifiers, test ranges of IDs or GUIDs leaked in the app (e.g., user profiles or API endpoints).
3. Check file downloads:
   • Modify file paths (e.g., /download/2.txt → /download/1.txt).
4. Observe redirect behavior:
   • Submit invalid and valid account IDs in endpoints (e.g., /my-account?id=xxx) and compare response content.

---

Vertical Privilege Escalation Testing**

1. Test admin functionality:
   • Access URLs like /admin or /dashboard.
   • Use /robots.txt to locate hidden paths.
2. Header Manipulation:
   • Add headers like X-Original-URL or modify existing headers to bypass restrictions:

     GET / HTTP/1.1
     X-Original-URL: /admin/delete
     

3. HTTP Method Testing:
   • Try alternate methods (GET, PUT, DELETE) to bypass controls on restricted actions.
4. Mass Assignment:
   • Add unexpected fields in requests (e.g., roleID) and observe changes:

     POST /update
     {"email": "user@example.com", "roleID": "1"}
     

5. Multi-Step Processes:
   • Test if each step of a multi-step workflow enforces access controls individually.

---

** Advanced Techniques**

1. Referer Header Bypass:
   • If Referer is checked, spoof it:

     Referer: https://vulnerable-app.com/admin
     

2. Source Code Inspection:
   • Look for client-side scripts revealing admin URLs or sensitive parameters.
3. Cookie Modification:
   • Identify cookies controlling roles (e.g., Admin=false) and modify them (e.g., Admin=true).
4. Location-Based Restrictions:
   • Test geolocation or IP-based controls using proxies or VPNs.

---

Common Testing Scenarios by Business Context

1. E-commerce

• Test ?order=1234 to access others’ orders.
• Identify unprotected admin actions managing orders or refunds.

2. Healthcare

• Check for cross-tenant data leaks, e.g., switching session cookies or user IDs.

3. Banking

• Modify account numbers in endpoints (?account=5678) to access unauthorized funds or details.

4. SaaS Platforms

• Attempt to access premium or admin features as a regular user.

---

Step 5: Automation and Tools

1. Burp Suite:
   • Use Intruder to fuzz endpoints with predictable IDs or parameters.
   • Compare site maps across roles to identify differences.
2. Wordlists:
   • Use wordlists to brute-force sensitive paths (/admin, /dashboard, /settings).
3. HTTP Method Checks:
   • Automate method-based bypass testing (GET, POST, DELETE).
4. Header Testing:
   • Test custom headers (X-Original-URL, X-Rewrite-URL) systematically.