Weak Access Controls

Weak Access Controls occur when an application does not properly enforce restrictions on who can access certain resources or perform specific actions.

This can allow unauthorized users to access or modify data, perform actions outside their privileges, or exploit sensitive functionality.

Implement strong access control policies, use role-based or attribute-based access control, enforce permissions at both the application and data levels, and regularly review and test access control mechanisms.

Missing Access Controls

The example below is based on PostSwigger's Multi-step process with no access control on one step lab.

We first need to log into the app as administrator and understand how the process of elevating user privileges work (Figure 1).

Figure 1: Elevating carlos's privileges using the administrator account.

Next, we can perform some A-B testing to see if proper access controls are in place for all the steps. That is, logging as a non-privileges user (wiener) and repeating the same requests we did as administrator (Figure 2).

Figure 2: Performing A-B testing in the user upgrade process.

The above process is outlined below using a Delete instead of an Upgrade functionality (Figure 3).

Figure 3: The process for testing access controls (image taken from here).

Referer-based Access Controls

The example below is based on PostSwigger's Referer-based access control lab.

As before, we will first try to understand how the upgrade functionality works (Figure 4).

Figure 4: Stepping through the upgrade functionailty as administrator.

Both of the steps seems to have proper access control in place (Figure 5).

Figure 5: Performing A-B testing in the user upgrade process.

We can try tampering with the Referer header and see if we are able to bypass the current access controls (Figure 6).

Figure 6: Testing for Referer-based access controls.