What is it?

Access control, also known as authorization is a mechanism that administrators use to protect resources. Not to confuse authorization with authentication because, authentication verifies the identity of the user whereas authorization checks if the user has access to the requested resource.

Talking solely about web applications, access control refers to authorization and session management. In a way, these bugs also get classified under privilege escalation since most of the times we try to get access to a resource that we should not at first place.

Where to look for?

Access control bugs can be seen in places where the target application has different user roles - such as admin, moderator, regular user etc. It can also be found in places where there is a potential to create teams, groups that ultimately yield to a team or group admin.

Any place where one user is given more access than other user using the same application is a potential place to check for access control vulnerabilities.

Common functionalities to test include (but not restricted to):

1. MFA - Check if you can skip a step in the MFA process
2. Multi-step payment - Check if you bypass a necessary step
3. Teams / Groups formation - Check if you can see more information than what you’re supposed to
4. Users with different roles - Check if you can obtain another user’s role permissions
5. Direct object references - When an application uses direct object references, check if you are be able to manipulate URLs
6. Anywhere access-token or sensitive tokens are seen - Testing depends on how the application imposes the access control mechanism.