BAC
Access control is the application of constraints on who or what is authorized to perform actions or access resources.
Unprotected functionality
If you have an admin account, repet the request with a normal user cookie. (autorize burp extension can be useful)
Parameter-based
Some applications determine the user's access rights or role at login, and then store this information in a user-controllable location. This could be:
A hidden field
A cookie value
A preset query string parameter
https://insecure-website.com/login/home.jsp?admin=truehttps://insecure-website.com/login/home.jsp?role=1
Referer-based
Try to request a subpage and set Referer
You need to know sub-pages (you can brute-force them) and eventually parameters to perform an action.
Platform misconfiguration
Try another HTTP method
Override the URL in the original request
E.g. X-Original-URL , X-Rewrite-URL. If it's not found it works.
URL-matching discrepancies
IDOR
Try other ID / Brute force
Multi-step processes
Imagine a website where steps 1 and 2 have access controls, but step 3 doesn't. -> skip the first two steps.
(1) Load user details, (2) Submit changes, (3) Review and confirm.
Tips
An application might use GUIDs to identify users, but GUIDs of other users could be exposed elsewhere in the app, such as in user messages or reviews.
An application may detect unauthorized access and redirect to the login page, but the response might still expose sensitive data of the targeted user.
Last updated