Now lets see the classic way of checking access control bugs.ġ.You basically login two account one is privileged(admin) and other is non privileged(normal user) in separate browsers or one in normal mode and other in private browsing mode.Ģ.Then you start using admin functions using admin account and fill your http history tab in burpģ.Then you note down the cookies of the normal user account(non privileged ): just reload the homepage for normal user you will get cookies in burp traffic.Ĥ. POST / HTTP/1.1 X-Original-URL: /admin/deleteUser If a web site uses rigorous front-end controls to restrict access based on URL, but the application allows the URL to be overridden via a request header, then it might be possible to bypass the access controls using a request like the following: Some application frameworks support various non-standard HTTP headers that can be used to override the URL in the original request, such as X-Original-URL and X-Rewrite-URL. Various things can go wrong in this situation, leading to access control bypasses. For example an application might configure rules like the following:ĭENY: POST, /admin/deleteUser, managersThis rule denies access to the POST method on the URL /admin/deleteUser, for users in the managers group. Some applications enforce access controls at the platform layer by restricting access to specific URLs and HTTP methods based on the user’s role.
BEGINEER’S CRASH COURSE FOR FINDING ACCESS CONTROL VULNERABILITIES IN THE WEB APPS:PART 2
0 kommentar(er)
