Broken Access Control

Attackers exploit weaknesses to bypass authentication or authorization, gaining access to sensitive data or functionalities.

Common Exploits:

• Path Traversal: Accessing unauthorized files by manipulating URL paths.

• Robots.txt: Using improperly configured files to discover sensitive paths.

• IDOR (Insecure Direct Object Reference):

  • Exploiting predictable or poorly protected identifiers (e.g., URLs with encoded or hashed parameters).

  • Example: Accessing resources by creating fake accounts to test parameter patterns.

• Session Cookies: Tampering with session cookies to gain unauthorized access.