A5: 2017 – Broken Access Control (Part 1)

Access control is easily confused with authentication. But in fact, access control is about dealing with already authenticated users. «Ok, I see that you’re John123, let’s see where you can go and where you can’t». You might have a decent authentication mechanism, but if access control is broken you can’t really distinct one user from another. Or even worse …


Classic example looks like this. You’ve logged in to some web page and then got to your account settings or profile. URL looks like this:


Looks interesting, let’s change userid parameter to some other number. If access control is broken, you’ll get to someone else’s account settings. That’s it, end of a story.

Wait a second, we’re using expensive SAST and DAST solutions, how we didn’t spot it? Well, the problem is that these tools show you if access control is present or not. They cannot check if whey effective. Broken access control comes in many shapes and flavours. Let’s get to OWAP Mutilidae II.

Some people think that if a web page isn’t linked with other with hyperlink there’s no way to find. And I say that if you have a bit of intuition you’ll find it with no trouble at all. Ask yourself, how do you usually manage MySQL on a server. With phpMyAdmin, of course. And how do you access it? Let’s make a wild guess:

Bingo! This secret page isn’t too secret after all. But this is a top shelf cookie. Some people say that there’s no such things as intuition or special mental powers. I guess so, in fact we do not guess things, we try things that we already know from our experience. Sometimes really subconsciously. If you were a web developer for a couple of years you start to see things and discover such flaws in seconds.


In fact, we can find even more hidden things with ZAP and its directory buster plug-in. Let’s start ZAP, add our web page and start browsing.

To discover hidden page we use sort of a brute force. Our dictionary is directory-list-1.0.txt and it contains all the common paths for popular web projects. You see, nobody makes anything from scratch these days. Most of the time we use pre-built engines, frameworks, algorithms or even whole pieces of code that someone shares.


Hey, we got something. /icons/ folder is accessible as it is and can contain something interesting.

Let’s take a look at another example. It’s in «A5 Broken access control» > «Insecure Direct Object Reference» > «Text File View». Here are some old school hacking texts, dusty old manuscripts of sacred wisdom. Let’s choose «How to hold onto UNIX Root once you have it» (sounds very promising) and hit «View File». Oh great, more wisdom. Let’s analyze what we got in our request with ZAP:

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Content-Length: 109
Cookie: showhints=1; PHPSESSID=877628a387439cadbfc1c53de8dc4676
Connection: keep-alive
Upgrade-Insecure-Requests: 1


This textfile parameter looks interesting. It seems that the script takes some file from http://www.textfiles.com and then displays it with the text-file-viewer.php script. Ok, let’s display something else with this script. Let’s take a look at this POST request with ZAP and change it a little.
Let’s change http%3A%2F%2Fwww.textfiles.com%2Fhacking%2Fbackdoor.txt to /etc/passwd/, hit enter and here we go – all the accounts from our server.


The request was tampered so we could include something there. Local files are primary targets here. This attack called «Local file inclusion» for a reason. In the next article we’ll see how deep the rabbit hole goes.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: