OWASP Top10 Application Security Risk

Never leave this tip while you hunting Broken Access Control

A special Bug-Bounty tip for Bug hunters and Pen-testers

secureITmania
2 min readNov 12, 2021

--

If you already know about Broken Access Control weakness. Please skip explanation and go to the “Observation” section.

What is Broken Access Control

Broken Access Control is a type of weakness in the software program or application. If the system gives unauthorized access to a low privileged user then we can say that the system had a Broken Access Control weakness.

Broken Access Control secureITmania

Broken access controls are a commonly tends to High/critical security vulnerability. Design and management of access controls is a complex and dynamic problem that applies business, organizational, and legal constraints to a technical implementation.

Access Controls are sub-divided into 2 categories
1. Vertical Access Controls
2. Horizontal Access Controls

Issue Observation:

We will assume that the target host name is REDACTED. The figures during the post just for demonstrations, might not relevant to REDACTED domain.

I found a website and it has the signup feature to register an account. I created two accounts and start exploring the web application features for hunting the access control issues. I analyzed the “My Profile” request and observed the below API endpoint.

GET /v1/account/3/user/{userId} HTTP/1.1
Host: REDACTED.COM
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Ik1rTkNOME0zTXpjek9VUXhOVE5DUVRrd01VRkJSa1EzT0RNNVFqSTBOREUzUlRreE0wTTRdNUSJ9........
Origin: REDACTED.COM
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers

To verify the access controls I have changed the “userId” value with the another account “userId”. But the application is validating the “userId” value at server side and does not allow to retrieve the…

--

--