What I extracted from Jason Haddix video in Bugcrowd University - Broken Access Control

✅Create 2 accounts, logout, login the first account and try requests with the second GUID.
✅search for other endpoints or web services that might leak other UIDs)

#bugbountytips 1/6

✅Page uses a function to render/include a page, so we can use a arbitrary path to get content from the server.
GET /view?pg=termandservices
GET /view?pg=../../../../../etc/passwd%00
✅GET /admin/viewtransactions - ACCESS DENIED
GET /ADMIN/viewtransactions - ACCESS GRANTED

2/6

✅GET /patientImages/3216647.jpg
GET /patientDocuments/1235.pdf
✅Many times the pages functions are not access controlled, which means we can change the parameters
POST /admin/viewTransactions.ashx?admin=true&from=08032017&to=08032018
(ex: change the price parameter)
3/6

✅In a multi-step workflow sometimes an attacker can skip steps (ex:skip the payment step in a purchase operation)
✅If we are searching for broken access control we need to become a power user (the more we use more chances we have to discover vulns)
4/6

✅More common parameters in numeric values under 10 digits: id, user, account, number, order, no.
✅More common parameters in functions: doc, key, email, group, profile, edit.
✅Create a function matrix to understand what an admin or an user should be able to do or not
5/6

✅ Best tool to explore broken access control, especially IDORs - Burp Intruder
✅Extensions we can use in Burpto explore this type of vulns - Auth Matrix, Authz, Autorize, AutoRepeater
6/6