AppSec Tales VII | ACCESS

Application Security Testing of the Broken Access Control Guidelines.

INTRODUCTION

The article describes how to test the application for Broken Access Control vulnerabilities to ensure a secure authorization process.
The advice in this article is based on:

• OWASP Web Security Testing Guide
• OWASP Application Security Verification Standard
• NIST recommendations
• bug bounty reports
• Own experience.

I will provide a short test sample, a potential impact or an attack scenario, and a possible solution to the problem at each point.

TEST SAMPLE PREPARATION

Before testing Broken Access, collect a test sample.

• Use the highest privileges (e.g., admin account) to avoid missing endpoints.
• First, it is best to manually click through the applications using a browser proxied through the Burp Suite tool.
• Secondly, use a crimson_target or feroxbuster with gospider to gather more endpoints unavailable through the application GUI.
• Then proxy any URLs found to Burp Suite and use Param Miner to gather hidden parameters.