BROKEN ACCESS CONTROL LABS

Access control is a way an application decide what the user can do

Authentication - Confirms the users identity
Session Management - Tracks the users activities and identifies the request that are being made by the user
Access Control - Checks if the action that the users is about to perform is permitted

Poorly access control can pose a huge security risk.

Vertical Privilege Escalation

This is when the hacker or users gains access to a functionality that they are not supposed to access. For example if a non administrative user gain access to the admin page and can delete users accounts is also known as Vertical Privilege Escalation.

Vertical privilege escalation is when the hacker moves from a low level user and then to a high level user.

Lab: Unprotected Admin Functionality

Step 1: I started by intercepting the website traffic

Step 2: I look at all the functionality in the web page

I noticed the My Account Button

Step 3: Got redirected to the login page

Then i sent the request to Burp Repeater

Step 4: Switched the login header to admin so as to get the admin panel

Got a 404 response, Tried admin-panel and possible name for the admin webpage

Step 5: Boom Got a 200 response code

So as you can see an unauthorized user got access to the admin panel and the unauthorized user can delete users and we get a congratulations that we have solved the Lab

Unprotected Admin Functionality with Unpredictable URL

Some applications hide sensitive features (like admin panels) behind obscure URLs, a method called security by obscurity. However, this is ineffective because URLs can still leak. For example, an admin panel URL hidden in JavaScript may still be visible to all users in the source code, even if the link only shows up for admins.

Lab Steps

Step 1

Step 2

Step 3

Step 4

Step 5 & 6

Parameter-based Access Control

Some applications determine the user's access rights or role at login, and then store this information in a user-controllable location. This could be:

A hidden field.
A cookie
A preset query string parameter.

The application makes access control decisions based on the submitted value.

Example:
https://insecure-website.com/login/home.jsp?admin=true

Lab: User role controlled by request parameter

Step 1–7

Horizontal Privilege Escalation

This occurs when the users is able to gain resources belonging to another user, Instead of their own...

(Full explanation from your text is here – unchanged)

Lab: User ID controlled by request parameter, with unpredictable user IDs

Prevention

Never rely on obfuscation alone for access control.
Unless a resource is intended to be publicly accessible, deny access by default.
Wherever possible, use a single application-wide mechanism for enforcing access controls.
At the code level, make it mandatory for developers to declare the access that is allowed for each resource, and deny access by default.
Thoroughly audit and test access controls to ensure they work as designed.