Explaining Vulnerabilities : Broken Access Control

What is Broken Access Control?

• Broken Access Control (BAC) is a vulnerability in an application, in which attackers can perform horizontal or/and vertical privilege escalation.
• Essentially, this vulnerability allows attackers to execute functions that they are “prohibited” to execute.

To find/hunt for BACs , we need to keep these conditions in mind:

• We have to create different users (with different privileges if possible)
• For vertical privilege escalation it is required that we use both low privileged user, and admin users / higher privileged users.

Attack strategy

• The best way to test for BACs , is by using JavaScript and the developer console of the browser .
• We want JavaScript files of the web application because that’s where functions are stored, and soon to be executed. One common way developers protect their applications is to disable the UI elements. However, this does not mean that the functions can’t be executed.
• If, for instance, we are on a ecommerce website and there is a Javascript function that updates the stock count, but we don’t see it anywhere on the page, we might still be able to execute it using javascript and the developer console. That is a BAC.
• Another way to test for BACs is by simply logging into the higher privileged account, navigate to a functionality that ONLY the admin can execute, copy the URL , log in as the lower privileged user and paste the URL in the browser. Sometimes, this works, but usually developers tend to secure this exploit.
• Another tactic we can use is to send all of our requests that the lower privileged user cannot execute, to our proxy (recommended : Burp), send it to Repeater and replace the authorisation method. Basically executing the functionality, but with a lower privileged user. If that is successful, congratulations, you’ve found a BAC.

I hope you’ve found this quick guide useful . Follow me for more content like this, and for more vulnerabilities explained :)