Exposed Secrets: The Peril of Broken Access Control
Hello everyone, I hope you all are doing great.
I am back with another writeup.
So first let’s understand what broken access control is
Broken Access Control
A Broken access control vulnerability is a type of security flaw that allows an unauthorized user access to restricted resources. By exploiting this vulnerability, attackers can circumvent standard security procedures and gain unauthorized access to sensitive information or systems.
Broken Access Control
Let’s Begin
So the website was a school management website where teachers can manage the details of students, make their report, complaints and others information.
Broken Access Control
So the website has two accounts one for students and one for teachers
And the difference between the accounts is 2 factor authentication. When students login they will login without 2fa.
MFA
And when teachers login they are asked give the 2fa code.
We found many bugs inside the website but we will cover those in other blog. Here we will talk about Broken Access Control.
So teachers can access any students files and edit them but students were only able to see their own files and information.
So first I visited a students profile and there we were able to see it’s result and marks. And then we copied the link that was https://www.victim.com/student_id/details.
We logged out from the website and login using a student Id.
And visited the link. And it shows the page don’t exist.
Bypass
So after playing with this I got a tip If You Want To Read More Visit Us