.png)
3 hours ago
6 BOOK THIS SPACE FOR AD
ARTICLE ADTbh that is my first time to write a Write-Up But i hope it will be understandable.
First Thing we will Talk about is : 🔽🔽
it means that you have a constraints on who or what is authorized to perform actions or access resources.
Ex : =>
if you have a company and this company have different departments like (IT , SALES , etc ..) you can put a policies and some rules to prevent the IT to access on the resources of Sales.
In the context of web applications, access control is dependent on authentication and session management.what is the authentication and session management ?
Authentication: confirms that the user is who they say they are.Session management: identifies which subsequent HTTP requests are being made by that same user.Okay now we know what is the access control so what now ??
let’s go on the tips directly on how to find the broken access vulnerability
FIRST of all Broken access control means that a user can access resources or perform actions that they are not supposed to be able to
Ex =>
user might be able to access the administrative functions by browsing to the relevant admin URL as you can see in the example below
https://tesla.com/adminif u can have an access on this page , Congratulations you found the broken access vulnerability , i mentioned tesla.com here just for an example (No offense XD )
But do you imagine it could be this easy ??
For sure no let’s see a more realistc one :
In some cases, sensitive functionality is concealed by giving it a less predictable URL , like the example below
https://tesla.com/admin-panel-T124As you can see here that the admin panel page cannot be guessable ( predictable ) So what is the Tip here ?
The Tip here GOOOOOOOOOOOOOO search in the PAGE SOURCE , javascript <script> You can Find a something SPICY </script> as You can see here in the Example Below :
<script>var isAdmin = false;
if (isAdmin) {
...
var adminPanelTag = document.createElement('a');
adminPanelTag.setAttribute('href', 'https://tesla.com/admin-panel-T124');
adminPanelTag.innerText = 'Admin panel';
...
}
</script>
You can see here that the /admin-panel-T124 appear so now we found the page of the Admin Panel who can try to access on it 💥💥
Some applications determine the user’s access rights or role at login, and then store this information in a user-controllable location
it can be store this info in the :
hidden-fieldcookiesQuery parameter StringYou Can see what i Mean in the Example Below ⬇
https://tesla.com/login/home.jsp?admin=trueAs you can see here You can change the admin to true and if you Get 200 OK , Congratulations you Find the Parameter-based access control
Another Example on this :
https://tesla.com/login/home.jsp?role_id=1You can Try here to change This Paramater it will takes you to a Useful Something …
The Last Tip Here in this Part :
This tip maybe alot of Testers Dont know it but It So much Useful and a Few People Care About it
Some application frameworks support various non-standard HTTP headers that can be used to override the URL in the original request ..
HOLD ON !!!!! WHAT IS THAT MEAN ??
it means that the Back-end can be Proccessing the URL from A Header such as : X-Original-URL , X-Rewrite-URL
Try to redirect the endpoint from that header and send the request BUT WAIT A SECOND …. You SHOULD to change the Path of the request to be a / Like the example below :
GET / HTTP/1.1X-Original-URL: /admin
After you do this it will lead you to 200 OK ..
in The end of this write-up i want to give a shoutout for Portswigger who helped me with their resources to Write my first one
And dont forget to Keep practice on it here are the all labs of Access control Vulnerabilty to solve on it ⬇⬇
Access control vulnerabilities and privilege escalation | Web Security Academy
Bengali (Bangladesh) · 
English (United States) ·