Help - Authorisation Bypass

About

When developers have to build authorisation matrices into complex systems it is easy for them to miss adding the right checks in every place, especially those which are not directly accessible through a browser, for example API calls.

As a tester, you need to be looking at every call a system makes and then testing it using every level of user to ensure that the checks are being carried out correctly. This can often be a long and boring task, especially with a large matrix with lots of different user types, but it is critical that the testing is carried out as one missed check could lead to an attacker gaining access to confidential data or functions.



Objective

Your goal is to test this user management system at all four security levels to identify any areas where authorisation checks have been missed.

The system is only designed to be accessed by the admin user, so have a look at all the calls made while logged in as the admin, and then try to reproduce them while logged in as different user.

If you need a second user, you can use gordonb / abc123.


Low Level

Non-admin users do not have the 'Authorisation Bypass' menu option.

Spoiler: Try browsing directly to /vulnerabilities/authbypass/.


Medium Level

The developer has locked down access to the HTML for the page, but have a look how the page is populated when logged in as the admin.

Spoiler: Try browsing directly to /vulnerabilities/authbypass/get_user_data.php to access the API which returns the user data for the page.


High Level

Both the HTML page and the API to retrieve data have been locked down, but what about updating data? You have to make sure you test every call to the site.

Spoiler: GET calls to retrieve data have been locked down but the POST to update the data has been missed, can you figure out how to call it?

Spoiler: This is one way to do it:

fetch('change_user_details.php', {
method: 'POST',
headers: {
'Accept': 'application/json',
'Content-Type': 'application/json'
},
body: JSON.stringify({ 'id':1, "first_name": "Harry", "surname": "Hacker" })
}
)
.then((response) => response.json())
.then((data) => console.log(data));

Impossible Level

Hopefully on this level all the functions correctly check authorisation before allowing access to the data.

There may however be some non-authorisation related issues on the page, so do not write it off as fully secure.


Reference:

Reference:

Reference: