Differences

This shows you the differences between two versions of the page.

--- tbhm:09_privilege [2026/05/14 09:18] – TBHM import drew
+++ tbhm:09_privilege [2026/05/14 09:28] (current) – converted from markdown to dokuwiki syntax drew
@@ Line 1: / Line 1: @@
-# Privilege, Transport, Logic
+====== Privilege, Transport, Logic ======
-## Privilege
+===== Privilege =====
 Often logic, priv, auth bugs are blurred.
 Testing user priv:
-- admin has power
+  * admin has power
-- peon has none
+  * peon has none
-- peon can use function only meant for admin
+  * peon can use function only meant for admin
-## More Privilege
+===== More Privilege =====
-- Find site functionality that is restricted to certain user types
+  * Find site functionality that is restricted to certain user types
-- Try accessing those functions with lesser/other user roles
+  * Try accessing those functions with lesser/other user roles
-- Try to directly browse to views with sensitive information as a lesser priv user
+  * Try to directly browse to views with sensitive information as a lesser priv user
-[[https://github.com/Quitten/Autorize|Autorize Burp plugin]] is pretty neat.
+Autorize Burp plugin is pretty neat [[https://github.com/Quitten/Autorize|here]].
-## Common Functions or Views
+===== Common Functions or Views =====
-- Add user function
+  * Add user function
-- Delete user function
+  * Delete user function
-- start project / campaign / etc function
+  * start project / campaign / etc function
-- change account info (pass, CC, etc) function
+  * change account info (pass, CC, etc) function
-- customer analytics view
+  * customer analytics view
-- payment processing view
+  * payment processing view
-- any view with PII
+  * any view with PII
-## Insecure direct object references
+===== Insecure direct object references =====
 IDORs are common place in bounties, and hard to catch with scanners.
-Find **any and all** UIDs:
+Find **any and all** UIDs
-- increment
+  * increment
-- decrement
+  * decrement
-- negative values
+  * negative values
-- Attempt to perform sensitive functions substituting another UID
+  * Attempt to perform sensitive functions substituting another UID
-  - change password
+  * change password
-  - forgot password
+  * forgot password
-  - admin only functions
+  * admin only functions
 Common Functions, Views, or Files:
-- Everything from the CSRF Table, trying cross account attacks
+  * Everything from the CSRF Table, trying cross account attacks
-- Sub: UIDs, user hashes, or emails
+  * Sub: UIDs, user hashes, or emails
-- Images that are non-public
+  * Images that are non-public
-- Receipts
+  * Receipts
-- Private Files (pdfs, ++)
+  * Private Files (pdfs, ++)
-- Shipping info & Purchase Orders
+  * Shipping info & Purchase Orders
-- Sending / Deleting messages
+  * Sending / Deleting messages
-## Transport
+===== Transport =====
-Most security concerned sites will enable HTTPS. It's your job to ensure they've done it **EVERYWHERE**. Most of the time they miss something.
+Most security concerned sites will enable HTTPs. It's your job to ensure they've done it **EVERYWHERE**. Most of the time they miss something.
 Examples:
-- Sensitive images transported over HTTP
+  * Sensitive images transported over HTTP
-- Analytics with session data / PII leaked over HTTP
+  * Analytics with session data / PII leaked over HTTP
 [[https://github.com/arvinddoraiswamy/mywebappscripts/tree/master/ForceSSL|ForceSSL]]
-## Business Logic Flaws
+===== Business Logic Flaws =====
 Logic flaws that are tricky, mostly manual:
-- substituting hashed parameters
+  * substituting hashed parameters
-- step manipulation
+  * step manipulation
-- use negatives in quantities
+  * use negatives in quantities
-- authentication bypass
+  * authentication bypass
-- application level DoS
+  * application level DoS
-- Timing attacks
+  * Timing attacks