tion layer, but you may still have limited access to the database and

■

A single exploitable access control vulnerability in the right location may

Access control defects can manifest themselves in various ways. In some cases,

they may be uninteresting, allowing illegitimate access to a harmless function

that cannot be leveraged to escalate privileges any further. In other cases, find-

ing a weakness in access controls can quickly lead to a complete compromise

of the application.

Flaws in access control can arise from various sources: a poor application

design may make it difficult or impossible to check for unauthorized access, a

simple oversight may leave only one or two functions unprotected, or defec-

tive assumptions about the way users will behave can leave the application

undefended when those assumptions are violated.

In many cases, finding a break in access controls is almost trivial — you sim-

ply request a common administrative URL and gain direct access to the func-

tionality. In other cases, it may be very hard, and subtle defects may lurk deep

within application logic, particularly in complex, high-security applications.

The most important lesson when attacking access controls is to look every-

where. If you are struggling to make progress, be patient and test every single

step of every application function. A bug that allows you to own the entire

application may be just around the corner.