Manually testing for Broken Access Control involves simulating attack scenarios to identify weaknesses in access restrictions. Below are practical examples and detailed steps.
https://example.com/user/dashboardhttps://example.com/admin/dashboardrole=user to role=admin).403 Forbidden.user_id=123).https://example.com/account?user_id=123user_id=123 to user_id=124.user_id values.file123.pdf)./files/file123.pdf)./files/file124.pdf.403 Forbidden./admin/, /config/)./admin/settings or /hidden/backup.zip.403 Forbidden or 404 Not Found error.GET /users/123).user_id=123 to user_id=456).https://example.com/admin/config without logging in..env, config.php).
| Test Type | Vulnerability Targeted | Expected Outcome |
|---|---|---|
| Vertical Privilege Escalation | Admin features accessible by users | 403 Forbidden error |
| Horizontal Privilege Escalation | Accessing another user’s data | Only own data accessible |
| Insecure Direct Object References | Accessing unauthorized objects | Access denied for unauthorized objects |
| Session/Token Testing | Session tied to user identity | Tokens fail for unauthorized actions |
| Forced Browsing | Accessing hidden URLs | Sensitive resources require authorization |
| Misconfigured Permissions | Access to sensitive files or paths | Restricted access |