4.5 Authorization Testing

4.5.1

Identify injection points that pertain to path traversal, such as HTTP GET and POST parameters that receive a path or a filename as input.
- Obtain all the links from Burp and look for injecting variables.
```
# GET
cat sitemap_urls.txt | uro |grep -Eo 'https?://[^ ]+\?[^ ]+'
# POST
Filter by Method POST & PARAMS (On Burpsuite Order by "Params")
```
- Are there unusual file extensions?
Is it possible to identify cookies used by the web application for the dynamic generation of pages or templates?
Assess bypassing techniques and identify the extent of path traversal.
- Is it also possible to include files and scripts located on external website
- If protocols are accepted as arguments, is it also possible to probe the local filesystem this way ?file=file:///etc/passwd?

(?:\?|&)(\w+)=([^&]*\.(?:jpg|jpeg|png|gif|pdf|doc|docx|xls|xlsx|ppt|pptx|txt|zip|rar|mp3|mp4|wav|mov|avi|json|xml|csv|exe|bin|dll|tar|gz|html|css|js|php))\b

Try to perform Path Traversal on the server's URL PATH

Evidence:

Asses the vertical privileges
1. Register or generate two users with a higher and a lower privileges.
2. Establish and maintain two different sessions based on the two different roles.
4. An application will be considered vulnerable if the weaker privileged session contains the same data, or indicate successful operations on higher privileged functions.
Asses the horizontal privileges.
1. Register or generate two users with identical privileges.
2. Establish and keep two different sessions active (one for each user).
4. An application will be considered vulnerable if the responses are the same, contain same private data or indicate successful operation on other users’ resource or data.
Testing for Special Request Header Handling
1. Try to test if theres is support of the headers X-Original-URL: /donotexist1 and X-Rewrite-URL: /donotexist2. If they are try use them in order to bypass URLs that might not be blocked for being accessed from the Internet.
2. Try different headers and values (Burp's Cluster Bomb attack)
Attempt to switch, change, or access another role: Use tools like Multi-Account container (Firefox Add-on) and Authorize (Burp Suite)

Headers:

X-Forwarded-For: 
X-Forwarded-IP: 
X-Client-IP: 
X-Remote-IP: 
X-Originating-IP: 
X-Host: 
X-Client:

127.0.1
127.1
0.0.0.0
0
0x7f000001
2130706433
3232235521a
3232235777
017700000001
[::]
::
[0:0:0:0:0:ffff:127.0.0.1]
0:0:0:0:0:ffff:127.0.0.1
<COLLABORATOR>

Evidence:

Identify injection points related to privilege manipulation.
Fuzz or otherwise attempt to bypass security measures.

Evidence:

Identify points where object references may occur. Look for requests that contain parameters with values such as IDs, function names or files.

Look for ID numbers:

(?:\?|&)(\w+)=\w*\d+\w*\b

Assess the access control measures and if they’re vulnerable to IDOR. Check if certain users that should not have access to those resources can access them. (Autorize)

Look for IDs:

(\w+)=[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}

Evidence:

Last updated 6 months ago

4.5.1

Identify injection points that pertain to path traversal, such as HTTP GET and POST parameters that receive a path or a filename as input.
- Obtain all the links from Burp and look for injecting variables.
```
# GET
cat sitemap_urls.txt | uro |grep -Eo 'https?://[^ ]+\?[^ ]+'
# POST
Filter by Method POST & PARAMS (On Burpsuite Order by "Params")
```
- Are there unusual file extensions?
Is it possible to identify cookies used by the web application for the dynamic generation of pages or templates?
Assess bypassing techniques and identify the extent of path traversal.
- Is it also possible to include files and scripts located on external website
- If protocols are accepted as arguments, is it also possible to probe the local filesystem this way ?file=file:///etc/passwd?

(?:\?|&)(\w+)=([^&]*\.(?:jpg|jpeg|png|gif|pdf|doc|docx|xls|xlsx|ppt|pptx|txt|zip|rar|mp3|mp4|wav|mov|avi|json|xml|csv|exe|bin|dll|tar|gz|html|css|js|php))\b

Try to perform Path Traversal on the server's URL PATH

Evidence:

4.5.2

Asses the vertical privileges
1. Register or generate two users with a higher and a lower privileges.
2. Establish and maintain two different sessions based on the two different roles.
3. For every request, change the session identifier from the original to another role’s session identifier and evaluate the responses for each. (Usage of )
4. An application will be considered vulnerable if the weaker privileged session contains the same data, or indicate successful operations on higher privileged functions.
Asses the horizontal privileges.
1. Register or generate two users with identical privileges.
2. Establish and keep two different sessions active (one for each user).
3. For every request, change the relevant parameters and the session identifier from token one to token two and diagnose the responses for each token. (Usage of )
4. An application will be considered vulnerable if the responses are the same, contain same private data or indicate successful operation on other users’ resource or data.
Testing for Special Request Header Handling
1. Try to test if theres is support of the headers X-Original-URL: /donotexist1 and X-Rewrite-URL: /donotexist2. If they are try use them in order to bypass URLs that might not be blocked for being accessed from the Internet.
2. Try different headers and values (Burp's Cluster Bomb attack)
Attempt to switch, change, or access another role: Use tools like Multi-Account container (Firefox Add-on) and Authorize (Burp Suite)

Headers:

X-Forwarded-For: 
X-Forwarded-IP: 
X-Client-IP: 
X-Remote-IP: 
X-Originating-IP: 
X-Host: 
X-Client:

Values:

127.0.1
127.1
0.0.0.0
0
0x7f000001
2130706433
3232235521a
3232235777
017700000001
[::]
::
[0:0:0:0:0:ffff:127.0.0.1]
0:0:0:0:0:ffff:127.0.0.1
<COLLABORATOR>

Evidence:

4.5.3

Identify injection points related to privilege manipulation.
Fuzz or otherwise attempt to bypass security measures.

Evidence:

4.5.4

Identify points where object references may occur. Look for requests that contain parameters with values such as IDs, function names or files.

Look for ID numbers:

(?:\?|&)(\w+)=\w*\d+\w*\b

Assess the access control measures and if they’re vulnerable to IDOR. Check if certain users that should not have access to those resources can access them. (Autorize)
If UUID are used check its . Because version 1 is based on time stamps you can perform a .

Look for IDs:

(\w+)=[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}

Evidence:

4.5.2

For every request, change the session identifier from the original to another role’s session identifier and evaluate the responses for each. (Usage of )

For every request, change the relevant parameters and the session identifier from token one to token two and diagnose the responses for each token. (Usage of )

Values:

4.5.3

4.5.4

If UUID are used check its . Because version 1 is based on time stamps you can perform a .

Authorization Testing

Testing Directory Traversal File Include

Testing for Bypassing Authorization Schema

Autorize

https://nip.io/

Testing for Privilege Escalation

Testing for Insecure Direct Object References

version

sandwich attack