Introduction To Access control
Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorised information disclosure, modification or destruction of all data, or performing a business function outside of the limits of the user.
Types of Broken Access Controls
Content Access Control
Search in: robots.txt,Sitemap.XML, Source Code, javascript code reviews, BruteForcing.
Parameter Access Control
GET,POST,PUT,OPTIONS,TRACE, Cookies parameters,Json params Also redireacting leakage.
IDOR,User_ID, Files_ID, GUID
Url-Based Access Control
Tampering the API call by request header
X-original-URL: unauthorized path
X-rewrite-URL: unauthorized path
Method-based Access Control
Changing methods such as GET, POST, PUT, OPTIONS, TRACE,
Access Control for a multi-step process
Depending on the application logic, every step and redirection as to be validated.
Referrer-Based Access Control
Tampering the referrer header such as:Referrer: Https://hacked.com
, also deleting the referrers
What is Authentication?
Authentication is the process of verifying who a user is, while authorization is the process of verifying what they have access to.
What is Authorization?
Authorization is the process where requests to access a particular resource should be granted or denied.
Access Control Types
- Vertical Access Control: (When user is able to view Admin`s Data)
- Horizontal Access ControlšWhen User A is able to view the User B`s Data)
- Context-Dependent Access Control: (Tampering the order of booking tickets)
Few Tips while on Broken Access Control hunting
- Bypassing access control checks by modifying the URL, internal application state, or the HTML page, or simply using a custom API attack tool.
- Allowing the primary key to be changed to anotherās userās record, permitting viewing or editing of someone elseās account.
- Attempts on privilege escalations. ie Acting as a user without being logged in, or acting as an admin when logged in as a user.
- Metadata manipulation, such as replaying or tampering with a JSON Web Token (JWT) access control token
- Concentrate more on CORS misconfiguration, which gives a lead to have an interaction with external domains.
- Forced browsing to authenticated pages as an unauthenticated user