Portswigger Broken Access Control And Privil3ge Escalation Labs Write-up!!
Broken Access Control Labs with Use cases and Solutions !!!
This blog discusses the Broken Access Control labs provided by port swigger.
Access control ensures that users are only able to perform actions within their authorized permissions. Access Control is the broader method of controlling access to web resources by implementing restrictions based on various factors such as the time of day, IP address, domain, encryption capability, authentication frequency, possession of tokens, and other variables that can be easily determined. Access control is the act of placing restrictions on who or what can perform certain actions or access specific resources. In the case of web applications, access control relies on authentication and session management.
Broken access controls are a common and serious security issue. The design and management of access controls is a complex problem that involves various factors such as business, organizational, and legal constraints. It requires human decision-making and there is a high risk of mistakes being made.
Access control is categorized into three types: read-only files, readable and writable data, and executable resources. However, these categories can vary depending on the file type. It is crucial to adhere to approved procedures and implement specific multi-step protocols. The initial step involves identifying the subject’s ID, which informs the system about the access requestor.
Afterward, the next step is to identify the person who made the inquiry, usually done through an authentication process. If the authentication is successful, the system then checks if the person has the proper authorization to access the requested resources.
Lab: Unprotected admin functionality
Lab: Unprotected admin functionality with unpredictable URL
carlos.
Lab: User role controlled by request parameter
/admin and observe that you can’t access the admin panel.
Admin=false. Change it, too Admin=true.
carlos.
Lab: User role can be modified in user profile
/admin. It’s only accessible to logged-in users with a
roleid of 2.Solve the lab by accessing the admin panel and using it to delete the user
carlos.You can log in to your own account using the following credentials:
wiener:peter
Step-2 Use the provided feature to update the email address associated with your account.
"roleid":2 into the JSON in the request body, and resend it.
roleid has changed to 2.
/admin and delete carlos.
Lab: User ID controlled by request parameter
carlos.
Lab: User ID controlled by request parameter, with unpredictable user IDs
carlos.
carlos and observe that the URL contains his user ID. Make a note of this ID.
carlos.
Lab: User ID controlled by request parameter with data leakage in redirect
carlos.
carlos.
Lab: User ID controlled by request parameter with password disclosure
administrator.
carlos.
Lab: Insecure direct object references
1.txt and review the text. Notice a password within the chat transcript.
Lab: URL-based access control can be circumvented
/admin and observe that you get blocked. Notice that the response is very plain, suggesting it may originate from a front-end system.
/ and add the HTTP header X-Original-URL: /invalid. Observe that the application returns a “not found” response. This indicates that the back-end system is processing the URL from the X-Original-URL header.
?username=carlos to the real query string, and change the X-Original-URL path to /admin/delete.
Lab: Method-based access control can be circumvented
carlos, and send the HTTP request to Burp Repeater.
Lab: Multi-step process with no access control on one step
carlos, and send the confirmation HTTP request to Burp Repeater.
Lab: Referer-based access control
carlos, and send the HTTP request to Burp Repeater.
/admin-roles?username=carlos&action=upgrade and observe that the request is treated as unauthorized due to the absent Referer header.
Read our Previous Blogs.
Must Visit Our Blog on Access Control.
If you enjoyed this blog post, share it with your friends and colleagues!!
Recent Comments