Portswigger Academy Access control vulnerabilities Labs

Introduction

What?

Access control (or authorisation) is the application of constraints on whom (or what) can perform attempted actions or access resources that they have requested. In the context of web applications, access control is dependent on authentication and session management:

• Authentication identifies the user and confirms that they are who they say they are.

• Session management identifies which subsequent HTTP requests are being made by that same user.

• Access control determines whether the user is allowed to carry out the action that they are attempting to perform.

Why?

Broken access controls are a commonly encountered and often critical security vulnerability. Design and management of access controls is a complex and dynamic problem that applies business, organisational, and legal constraints to a technical implementation. Access control design decisions have to be made by humans, not technology, and the potential for errors is high.

How?

• Broken access control

• Insecure direct object references (IDOR)

• Unprotected admin functionality

• Unprotected admin functionality with unpredictable URL

• User role controlled by request parameter

• User role can be modified in user profile

• User ID controlled by request parameter

• User ID controlled by request parameter, with unpredictable user IDs

• User ID controlled by request parameter with data leakage in redirect

• User ID controlled by request parameter with password disclosure

• Insecure direct object references

• URL-based access control can be circumvented

• Method-based access control can be circumvented

• Multistep process with no access control on one step

• Referer-based access control