Exposed Secrets: The Peril of Broken Access Control

Nitin yadav
2 min readMay 1, 2024

--

Hello everyone, I hope you all are doing great.

I am back with another writeup.

So first let’s understand what broken access control is

Broken Access Control

A Broken access control vulnerability is a type of security flaw that allows an unauthorized user access to restricted resources. By exploiting this vulnerability, attackers can circumvent standard security procedures and gain unauthorized access to sensitive information or systems.

Broken Access Control

Let’s Begin

So the website was a school management website where teachers can manage the details of students, make their report, complaints and others information.

Broken Access Control

So the website has two accounts one for students and one for teachers

And the difference between the accounts is 2 factor authentication. When students login they will login without 2fa.

MFA

And when teachers login they are asked give the 2fa code.

We found many bugs inside the website but we will cover those in other blog. Here we will talk about Broken Access Control.

So teachers can access any students files and edit them but students were only able to see their own files and information.

So first I visited a students profile and there we were able to see it’s result and marks. And then we copied the link that was https://www.victim.com/student_id/details.

We logged out from the website and login using a student Id.

And visited the link. And it shows the page don’t exist.

Bypass

So after playing with this I got a tip If You Want To Read More Visit Us

--

--

Nitin yadav

Computer Science Student | Bug Hunter | Cyber Security Enthusiast | Contact : https://linktr.ee/ydv_nitin