The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

Some applications employ a fundamentally insecure access control model in

which access control decisions are made on the basis of request parameters

submitted by the client. In some versions of this model, the application deter-

mines a user’s role or access level at the time of login and from this point

onwards transmits this information via the client in a hidden form field,

cookie, or preset query string parameter (see Chapter 5). When each subse-

quent request is processed, the application reads this request parameter and

decides what access to grant the user accordingly.

For example, an administrator using the application may see URLs like the

following:

https://wahh-app.com/login/home.jsp?admin=true

while the URLs seen by ordinary users contain a different parameter, or none

at all. Any user who is aware of the parameter assigned to administrators can