search

Bypassing Authorization Schema

hashtag
Check List

hashtag
Methodology

hashtag
Black Box

hashtag
Broken Authorization

1

Authenticate to the application using a standard (non-administrative) user account

2

Identify administrative functions by: Browsing the application as an admin user (if available), or Enumerating common administrative paths such as

https://www.example.com/admin/addUser.jsp
3

Capture a legitimate administrative request, for example

POST /admin/addUser.jsp HTTP/1.1
Host: www.example.com

userID=fakeuser&role=3&group=grp001
4

Log out from the administrator account

5

Log in as a non-administrative (standard privilege) user

6

Replay the captured administrative request using the standard user’s session

7

Observe whether the server processes the request successfully (creates a new user)

8

If the request succeeds, verify whether the newly created user account is active and functional

hashtag
Horizontal Bypassing Authorization

1

Register two separate user accounts with identical roles and privileges (userA and userB)

2

Log in as both users in separate browsers or sessions

3

Capture the session identifiers (SessionID) for both users

4

Identify a function accessible to both users, such as

POST /account/viewSettings HTTP/1.1
Host: www.example.com
Cookie: SessionID=USERA_SESSION

username=userA
5

Confirm that the legitimate response for userA returns only userA’s personal data

6

While logged in as userB, intercept a similar request and modify (The username parameter to userA and Keep SessionID=USERB_SESSION

7

Send the modified request

POST /account/viewSettings HTTP/1.1
Host: www.example.com
Cookie: SessionID=USERB_SESSION

username=userA
8

Observe the server response

9

If the response contains userA’s private data while authenticated as userB, confirm unauthorized horizontal access

hashtag
Broken Authorization via Header Handling

1

Identify a restricted endpoint that is blocked by frontend access control (/admin or /console)

2

Attempt to access the restricted endpoint directly

GET /admin HTTP/1.1
Host: www.example.com

If the server gives you a 403 or says "Access Unauthorized" in response

3

Send a normal baseline request without special headers

GET / HTTP/1.1
Host: www.example.c

Record the response for comparison.

4

Send a request including the X-Original-URL header pointing to a non-existent resource

GET / HTTP/1.1
Host: www.example.com
X-Original-URL: /donotexist1

Observe the response

5

Check whether the response returns indicators such as HTTP 404 status code or “Resource not found” message

If so, confirm support for the X-Original-URL header

6

Send a request including the X-Rewrite-URL header pointing to a non-existent resource

GET / HTTP/1.1
Host: www.example.com
X-Rewrite-URL: /donotexist2

Observe the response

7

If the response indicates the non-existent resource was processed, confirm support for the X-Rewrite-URL header

8

After confirming header support, attempt access control bypass by sending a request to an allowed endpoint ( /) while specifying the restricted endpoint in the supported header

GET / HTTP/1.1
Host: www.example.com
X-Original-URL: /admin

or

GET / HTTP/1.1
Host: www.example.com
X-Rewrite-URL: /admin
9

Observe whether the application processes the restricted resource and returns its content

10

Confirm the vulnerability if the restricted endpoint becomes accessible through header manipulation despite direct access being blocked

hashtag
White Box

hashtag
Cheat Sheet

PreviousDirectory Traversal File IncludeNextPrivilege Escalation

Last updated