vertical
unprotected admin panel
Just go to the admin panel directly
obscured admin panel
Read the source to find the URL
User role controlled by request parameter
Change the parameter:
https://insecure-website.com/login/home.jsp?admin=true
https://insecure-website.com/login/home.jsp?role=1
Circumventing access controls
An application may have
DENY: POST, /admin/deleteUser, managers
This may be bypassed using X-Original-URL and X-Rewrite-URL:
POST / HTTP/1.1
X-Original-URL: /admin/deleteUser
...
Or change the method
POSTX / HTTP/1.1
...
horizontal
user id controoled by request (IDOR)
https://insecure-website.com/myaccount?id=123
access control in multi step:
- Load form containing details for a specific user.
- Submit changes.
- Review the changes and confirm.
The application may make the assumption that step 3 can only be erach from step 2 This opens a problems when
- cookie is stolen
- Assumption is made on referrer
- assumtions made on location