Skip to main content

index

Authentication & Authorization

Authentication & authorization vulnerabilities occur when a system fails to properly verify who a user is (authentication) or what they are allowed to do (authorization). Weak authentication allows attackers to impersonate users through flaws like poor passwords or bypassable login checks. Broken authorization lets attackers access data or actions beyond their permissions due to improper access controls. Together, these flaws can lead to account takeover, data leaks, and full system compromise.

Basic Checks for Authentication

  • Check if session cookies are guessable (integer IDs, sequential numbers, UUID v1, encoded JSON, base64, predictable hashes).
  • Test case variations during registration/login (e.g., admin / Admin / ADMIn).
  • Attempt accounts with trailing or leading spaces (e.g., admin , admin, admin ).
  • Try Unicode homograph characters (а vs a, zero-width space, accents).
  • Attempt login with different encodings (URL-encoded, double-encoded, UTF-7/UTF-16).
  • Check if login form leaks timing differences (invalid username vs valid username).
  • Check if password reset page reveals valid users (email enumeration).
  • Try login via HTTP method bypass: POST vs GET vs PUT.
  • Try alternative content types: application/json, multipart/form-data, x-www-form-urlencoded.

Authorization / Access Control Checks

Horizontal Privilege Escalation
  • Change your user ID in requests (e.g., /user/123 → /user/124).
  • Modify object IDs inside JSON body: "user_id": 1.
  • Test mass assignment by adding fields not shown in UI (e.g., "role": "admin").
  • Add extra parameters (e.g., user[admin]=1 or user[admin]=true) in requests to see if privileged fields can be overwritten.
  • Try alternative content types: application/json or application/xml
Vertical Privilege Escalation
  • Visit admin endpoints directly: /admin, /dashboard/admin, /config.
  • Try API variants: /api/admin, /v1/admin, /internal/admin.
  • Replace "user" with "admin" in URLs.
  • Try HTTP method override headers:
    • X-HTTP-Method-Override: PUT
  • Check if disabled buttons can be re-enabled by editing HTML.