Broken Access Control/Privilege Escalation

Description

Broken Access Control occurs when an application fails to enforce proper access restrictions, allowing unauthorized users to access or modify resources they shouldn't have access to. Privilege Escalation involves exploiting such weaknesses to gain higher-level access.

Example with Scenario

Scenario: A web application has an admin panel that should be accessible only to administrators. An attacker discovers that they can access the admin panel by directly navigating to the URL without proper authorization checks.

Payloads and Test Cases

Payloads

1. Direct URL Access:

   Copy

   /admin

2. Parameter Manipulation:

   Copy

   /user?role=admin

3. Forced Browsing:

   Copy

   /restricted/resource

Test Cases

1. Direct URL Access:

   • Payload:

     Copy

     /admin

   • Test Case:

     Copy

     # Attempt to access the admin panel
     accessURL("/admin")
     # Verify if the application grants access
     checkAdminAccess()

2. Parameter Manipulation:

   • Payload:

     Copy

     /user?role=admin

   • Test Case:

     Copy

     # Attempt to escalate privileges by modifying the role parameter
     accessURL("/user?role=admin")
     # Verify if the application grants admin privileges
     checkPrivilegeEscalation()

3. Forced Browsing:

   • Payload:

     Copy

     /restricted/resource

   • Test Case:

     Copy

     # Attempt to access a restricted resource
     accessURL("/restricted/resource")
     # Verify if the application grants access
     checkAccessToRestrictedResource()

Mitigation

1. Enforce Access Control:

   • Implement access control checks at the server-side for all sensitive actions.

   • Use role-based access control to enforce permissions.

2. Use Secure Frameworks:

   • Use security frameworks that provide built-in access control mechanisms.

   • Ensure access control is consistently applied throughout the application.

3. Parameter Validation:

   • Validate and sanitize parameters to ensure they cannot be manipulated to escalate privileges.

   • Use strong validation rules to prevent unauthorized access.

4. Regular Audits:

   • Conduct regular security audits and penetration testing to identify and fix access control vulnerabilities.

   • Monitor access logs for suspicious activity.