Use this skill when you need to determine whether a web application correctly enforces authorization decisions for every user, role, and request type. Access controls are the mechanism by which an application decides whether a given request is permitted to perform an action or access a resource. Broken access controls affect 71% of web applications and enable attackers to take full control of administrative functionality, access other users' sensitive data, or bypass business logic constraints.
This skill applies to authorized penetration tests, security code reviews, and appsec audits. It is not a substitute for legal authorization to test a target application.
Vertical access control enforces separation between privilege levels (ordinary user vs. administrator). Vertical privilege escalation occurs when a lower-privilege user successfully accesses higher-privilege functions.
Horizontal access control enforces that users can only access their own resources (documents, orders, accounts). Horizontal privilege escalation occurs when a user accesses another user's resources.
Context-dependent access control enforces that users access application states only in the prescribed sequence. Business logic exploitation occurs when a user bypasses required workflow steps (for example, skipping the payment stage of a checkout flow).
Horizontal and vertical escalations frequently chain: discovering another user's document identifier may allow modifying that user's security role, converting horizontal access into vertical compromise.
admin=true), HTTP Referer header, or IP-based geolocation.Step 1: Understand the authorization model.
Before probing, answer these questions from application mapping output or source code:
admin, role, isAdmin)?WHY: Access control testing without understanding the intended authorization model produces false positives (expected differences flagged as vulnerabilities) and false negatives (violations that look like normal variance). The authorization model defines what "violation" means.
Step 2: Identify all application surfaces.
Using your proxy history and any content discovery output, catalog:
WHY: Poorly protected functionality often exists outside the normal navigation paths. JavaScript building role-conditional UI elements frequently references admin URLs that are not linked from ordinary user interfaces.
This is the primary methodology. It requires at minimum two accounts: one high-privilege and one low-privilege.
Step 1: Map the application as the high-privilege user.
With Burp configured as your proxy (interception disabled), browse all application functionality using the high-privilege account. This builds a complete site map of all accessible endpoints.
WHY: You need to know what the high-privilege account can access before you can test whether the low-privilege account is incorrectly permitted to access it. Starting with the low-privilege account means you may never discover the privileged endpoints to test.
Step 2: Use Burp's "Compare Site Maps" feature.
In Burp's Target tab, right-click the site map and select "compare site maps." Configure the second site map to re-request all items from the first site map using the low-privilege session (via a recorded login macro or a specific session cookie). Burp will highlight added, removed, and modified responses between the two maps, including a diff count for modified items.
WHY: Manual comparison of dozens or hundreds of endpoints is error-prone and slow. Automated replay eliminates the mechanical work while preserving human judgment for interpreting results — two identical responses to an admin function indicate a violation; two different responses to a personal profile page are expected and benign.
Step 3: Interpret comparison results with context.
Identical responses do not always indicate a vulnerability (a search function returning the same results is harmless). Different responses do not always indicate correct enforcement (an admin function returning different content each visit may still be accessible). Apply judgment for each flagged item.
Step 4: Test horizontal access control with two same-privilege accounts.
Identify resources owned by Account A (document IDs, order numbers, account references). From Account B's session, request those same resource identifiers directly — either by URL or by replaying the POST parameters. Access to Account A's resource from Account B's session is a horizontal privilege escalation.
WHY: The Burp site map comparison approach tests vertical access control effectively. Horizontal escalation requires explicit cross-account resource substitution because both accounts see the same set of endpoints.
getBalance → getAllBalances, getCurrentUserRoles → getAllUserRoles, listInterfaces, getAllUsersInRoles).WHY: Security through obscurity is not access control. URLs appear in browser history, server logs, proxy logs, and bookmarks. URL knowledge cannot be revoked when a user changes roles. Any function reachable by knowing its URL without a server-side authorization check is unprotected, regardless of whether the URL is published.
WHY: Resource identifiers are not secrets. They appear in server logs, are transmitted via clients, and may be observed from within the application itself (logs, audit trails). The server must verify that the requesting user is authorized to access the specific resource identified, regardless of how the identifier was obtained.
WHY: Developers commonly validate authorization at the entry point of a workflow and assume that any user who reaches later stages must have passed the earlier checks. This assumption is violated whenever an attacker can directly submit a request to a later-stage endpoint. Each step must independently verify that the current session is authorized to perform the action, not just that it reached this step via a valid earlier step.
WHY: Static files served directly from the web root bypass all application-layer code. No server-side script runs to verify the requester's authorization. The only protection available is web-server-level authentication or serving files indirectly through a dynamic page that implements authorization logic.
POST with GET, then HEAD, then an arbitrary invalid method (e.g., JEFF).WHY: Platform-level access rules (web server or application server configuration) often deny specific HTTP methods but allow others. HEAD requests are typically handled by the same code as GET, so if GET performs a sensitive action, HEAD may too. Some platforms route unrecognized HTTP methods to the GET handler, allowing arbitrary method names to bypass deny rules that only enumerate specific blocked methods.
Parameter-based access control:
admin=true, role=admin, isManager=1).Referer-based access control:
Referer header on those requests. If access fails, the application is using Referer as an authorization signal.Referer value matching the administrative page that would legitimately precede the request.Location-based access control:
WHY: Any access control decision based on data the client can control is fundamentally insecure. Request parameters, Referer headers, and IP geolocation are all attacker-controllable. Authorization decisions must be driven exclusively from server-side session state, which the attacker cannot forge.
When only one account is available:
Referer-based access control as described above.For each confirmed finding, record:
Use these principles when documenting remediation recommendations or reviewing defensive implementations:
Avoid the common pitfalls:
admin=true). All access control decisions must derive from server-side session state.Implement a centralized authorization model:
Apply a multilayered privilege model (defense in depth):
Protect static content by either: (a) serving files through a dynamic handler that performs authorization before streaming the file, or (b) using HTTP authentication or application-server access controls to wrap direct file requests.
For high-sensitivity functions (bill payee creation, privilege changes): implement per-transaction reauthentication or dual authorization to mitigate both access control bypass and session hijacking impact.
Log all access to sensitive data and all sensitive actions to enable detection and investigation of access control breaches.
Scenario: E-commerce platform with separate admin and customer roles. Penetration test with one admin account and one customer account.
Trigger: Burp site map comparison shows admin account visited /admin/users/list and /admin/users/new. Low-privilege replay returns HTTP 200 for both with the same response body as the admin.
Process:
/admin/users/list showed diff count 0 (identical responses)./admin/users/new POST with customer session — new admin account created successfully.Output: Critical finding — CWE-862 (Missing Authorization). Completely unprotected admin functionality. Recommended: central authorization component checks session role before any admin handler executes.
Scenario: Document management application. User A and User B both have standard accounts. Authorized test with both accounts.
Trigger: After logging in as User A, the document list shows URLs in the form /ViewDocument.php?docid=1280149120. Login as User B and browse to User B's own document at docid=1280149125.
Process:
docid parameter to 1280149120 (User A's document ID).Output: High finding — CWE-639 (Authorization Bypass Through User-Controlled Key). Server does not verify that the requesting session owns the referenced document. Recommended: on every document request, verify that the authenticated user's ID matches the document's owner field before returning content.
Scenario: SaaS application with an "Add User" admin workflow (3 steps: choose role, enter details, confirm). Single admin account available; one regular-user account.
Trigger: Application mapping reveals the workflow spans three POST requests: /admin/newuser/step1, /admin/newuser/step2, /admin/newuser/step3. Step 1 returns 403 for the regular-user session. Steps 2 and 3 have not been tested independently.
Process:
Output: Critical finding — CWE-285 (Improper Authorization) on steps 2 and 3; CWE-284 on HTTP method bypass. Recommended: each step independently verifies the session role; platform rules use default-deny for all HTTP methods except those explicitly permitted for each endpoint.
This skill is licensed under CC-BY-SA-4.0.
Source: BookForge — The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws by Dafydd Stuttard, Marcus Pinto.
This skill is standalone. Browse more BookForge skills: bookforge-skills
共 1 个版本
暂无安全检测报告