Access control vulnerabilities and privilege escalation

What is Access Control

Access control is a mechanism used to manage the permissions required to reach any information or resource. It acts as a security mechanism that blocks unauthorized access.

Table of Contents

To explain it in simple terms, in access control, each user is given access according to their designated role, and permissions are set for their accounts. For example, for admin users, admin features are enabled so they can control the system. For regular users, a simple role is set, and similarly, a guest role is set for guests. This is achieved through access control.

What are Access Control Vulnerabilities

Sometimes, access control systems have flaws that can be exploited, allowing a user to access extra resources or information based on their role.

Access control vulnerabilities and privilege escalation

Common access control vulnerabilities include

Privilege Escalation: Privilege escalation is an unauthorized method where a guest or regular user gains higher privileges, such as admin privileges. If a regular user obtains admin privileges, it is called vertical privilege escalation. Similarly, if a user gains access to another user’s account at the same privilege level, it is called horizontal privilege escalation.
Insecure Direct Object References: Insecure direct object references are flaws in access control where an attacker can directly access resources or information without permission.
Access Control List (ACL) Issues: Access Control Lists are used to set permissions for resources. If the permissions for a resource are not properly set or have become outdated, an attacker can exploit it to gain access to resources and information.
Authentication Bypass: Authentication bypass is a type of access control vulnerability where an attacker bypasses authentication to gain access to the system. This can be done by exploiting weak authentication mechanisms or guessing passwords.

Let’s Explore Access Control Vulnerabilities one by one

Unprotected admin functionality
Unprotected admin functionality with unpredictable URL
User role controlled by request parameter
User role can be modified in user profile
User ID controlled by request parameter with password disclosure
User ID controlled by request parameter, with unpredictable user IDs
User ID controlled by request parameter with data leakage in redirect
User ID controlled by request parameter with password disclosure
Insecure direct object references
URL-based access control can be circumvented
Method-based access control can be circumvented
Multi-step process with no access control on one step
Referer-based access control

reference: https://portswigger.net/web-security/access-control

The next topic to continue this series is XXE Injection, You must have to complete the Access Control topic before starting the next topic in this series. Good Luck!