Bug Testing Methodology Series:
πππ (ππ«π¨π€ππ§ πππππ¬π¬ ππ¨π§ππ«π¨π₯)
Learn how to test for Broken Access Control step by step on real #bugbounty programs.
Threadπ§΅π
#cybersecurity #cybersecuritytips #infosec #hacking #bugbountytips #infosecurity
πππ (ππ«π¨π€ππ§ πππππ¬π¬ ππ¨π§ππ«π¨π₯)
Learn how to test for Broken Access Control step by step on real #bugbounty programs.
Threadπ§΅π
#cybersecurity #cybersecuritytips #infosec #hacking #bugbountytips #infosecurity
Before we start, this thread will not teach exactly how Broken Access Control vulnerabilities arise, but rather a testing methodology.
If you want to learn how BAC bugs work, check this out β‘οΈ portswigger.net/web-security/aβ¦
If you want to learn how BAC bugs work, check this out β‘οΈ portswigger.net/web-security/aβ¦
1οΈβ£ Know your target
In order to know what which user role can do, you have to know your target well.
If documentations are available, make full use of them, if not, use the app as much as you can from the perspective of each user role (have a different account for each role)
In order to know what which user role can do, you have to know your target well.
If documentations are available, make full use of them, if not, use the app as much as you can from the perspective of each user role (have a different account for each role)
2οΈβ£ Test plan
Obviously, you need to have multiple accounts, one for each available user role.
If you're using Chrome, use multiple profiles for each account, and for Firefox, use this extension --> addons.mozilla.org/en-US/firefox/β¦
This is the same when testing for IDORs too.
Obviously, you need to have multiple accounts, one for each available user role.
If you're using Chrome, use multiple profiles for each account, and for Firefox, use this extension --> addons.mozilla.org/en-US/firefox/β¦
This is the same when testing for IDORs too.
3οΈβ£ Testing
The premises of BAC testing is lateral and vertical privilege escalation, seeing if user role A can do what B can, even though he's not supposed to. If he can, then we have a bug.
This consists in replacing cookies/tokens on various requests, such as API calls.
The premises of BAC testing is lateral and vertical privilege escalation, seeing if user role A can do what B can, even though he's not supposed to. If he can, then we have a bug.
This consists in replacing cookies/tokens on various requests, such as API calls.
For example:
/api/admin/users (Admin only)
Try to access it with Normal user privileges
To remove the pain of copy-pasting cookies/tokens/keys for 100 times, use the extension Authorize in Burp Suite.
If the attack fails(as expected), you can try tweak the request in somd ways.
/api/admin/users (Admin only)
Try to access it with Normal user privileges
To remove the pain of copy-pasting cookies/tokens/keys for 100 times, use the extension Authorize in Burp Suite.
If the attack fails(as expected), you can try tweak the request in somd ways.
Try changing request methods, adding/removing params, tokens, headers, etc
Tamper with the URL, inject certain parameters, change some values, JSON β‘οΈ Normal params, force browsing, WHATEVER you can think of.
Fool the system by making it think you have access to that resource.
Tamper with the URL, inject certain parameters, change some values, JSON β‘οΈ Normal params, force browsing, WHATEVER you can think of.
Fool the system by making it think you have access to that resource.
If all fails, move on to the next function.
There's not that many bypasses you can try, if the privileges for your users don't allow for a certain thing, don't spend more than 5 minutes trying to bypass it.
There's a lot of other requests for you to test so don't waste time.
There's not that many bypasses you can try, if the privileges for your users don't allow for a certain thing, don't spend more than 5 minutes trying to bypass it.
There's a lot of other requests for you to test so don't waste time.
That's a wrap!
If you enjoyed this thread:
1. Follow me @shrekysec for more of these
2. RT the tweet below to share this thread with your audience
If you enjoyed this thread:
1. Follow me @shrekysec for more of these
2. RT the tweet below to share this thread with your audience
https://twitter.com/shrekysec/status/1582361108782149634
β’ β’ β’
Missing some Tweet in this thread? You can try to
force a refresh
γ
