AppSec Tales VII | ACCESS

Karol Mazurek
9 min readJun 2, 2022

Application Security Testing of the Broken Access Control Guidelines.

INTRODUCTION

The article describes how to test the application for Broken Access Control vulnerabilities to ensure a secure authorization process.
The advice in this article is based on:

  • OWASP Web Security Testing Guide
  • OWASP Application Security Verification Standard
  • NIST recommendations
  • bug bounty reports
  • Own experience.

I will provide a short test sample, a potential impact or an attack scenario, and a possible solution to the problem at each point.

TEST SAMPLE PREPARATION

Before testing Broken Access, collect a test sample.

  • Use the highest privileges (e.g., admin account) to avoid missing endpoints.
  • First, it is best to manually click through the applications using a browser proxied through the Burp Suite tool.
  • Secondly, use a crimson_target or feroxbuster with gospider to gather more endpoints unavailable through the application GUI.
  • Then proxy any URLs found to Burp Suite and use Param Miner to gather hidden parameters.
  • Ultimately, you can export the whole URL list from Burp Suite to the TXT file for the other tools.

CRAWLING & BRUTE-FORCING ENDPOINTS

Source: Own study — Gathering new endpoints using crimson.
crimson_target -D ""  -c "" -b

BRUTE-FORCING ENDPOINTS

Source: Own study — Gathering new endpoints using feroxbuster.
feroxbuster -kre -w "" -u "" -H "" -o "ferox.txt"

CRAWLING ENDPOINTS

Source: Own study — Gathering new endpoints using gospider.
echo d|httpx -silent|gospider…