1️⃣1. Broken Access Control

https://owasp.org/Top10/A01_2021-Broken_Access_Control/

Description

Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of all data or performing a business function outside the user's limits. Common access control vulnerabilities include:

Violation of the principle of least privilege or deny by default, where access should only be granted for particular capabilities, roles, or users, but is available to anyone.
Bypassing access control checks by modifying the URL (parameter tampering or force browsing), internal application state, or the HTML page, or by using an attack tool modifying API requests.
Permitting viewing or editing someone else's account, by providing its unique identifier (insecure direct object references)
Accessing API with missing access controls for POST, PUT and DELETE.
Elevation of privilege. Acting as a user without being logged in or acting as an admin when logged in as a user.
Metadata manipulation, such as replaying or tampering with a JSON Web Token (JWT) access control token, or a cookie or hidden field manipulated to elevate privileges or abusing JWT invalidation.
CORS misconfiguration allows API access from unauthorized/untrusted origins.
Force browsing to authenticated pages as an unauthenticated user or to privileged pages as a standard user.

THM Lab

Task 4 - Broken Access Control (IDOR Challenge)

Insecure Direct Object Reference

IDOR or Insecure Direct Object Reference refers to an access control vulnerability where you can access resources you wouldn't ordinarily be able to see. This occurs when the programmer exposes a Direct Object Reference, which is just an identifier that refers to specific objects within the server. By object, we could mean a file, a user, a bank account in a banking application, or anything really.

4.1 - Look at other users' notes. What is the flag?

Just happen loggin in we can see this pages that contains notes of noot's user with id 1

Changing value of id values we can exploit IDOR vulnerability and obtain the flag:

Flag Task 4.1

flag{fivefourthree}

PreviousOWASP Next2. Cryptographic Failures

Last updated 3 months ago

Description

Violation of the principle of least privilege or deny by default, where access should only be granted for particular capabilities, roles, or users, but is available to anyone.

Bypassing access control checks by modifying the URL (parameter tampering or force browsing), internal application state, or the HTML page, or by using an attack tool modifying API requests.

Permitting viewing or editing someone else's account, by providing its unique identifier (insecure direct object references)

Accessing API with missing access controls for POST, PUT and DELETE.

Elevation of privilege. Acting as a user without being logged in or acting as an admin when logged in as a user.

Metadata manipulation, such as replaying or tampering with a JSON Web Token (JWT) access control token, or a cookie or hidden field manipulated to elevate privileges or abusing JWT invalidation.

CORS misconfiguration allows API access from unauthorized/untrusted origins.

Force browsing to authenticated pages as an unauthenticated user or to privileged pages as a standard user.