Authorization
Once a user has been authenticated, the next task is to authorize the user to give him/her access to data. Based on the user role and privileges, the application grants authorization. To test for authorization vulnerabilities, we require valid credentials from each of the different roles present in an application. Using some preliminary tools, we can attempt to bypass the authorization schema and gain access to the superuser account while using the credentials of a normal user.
OWASP mapping
Authorization-related vulnerabilities are part of the OWASP Top 10 2017. They are covered under A5:2017 Broken Access Control. Some of the vulnerabilities listed under this category are as follows:
- Bypassing access control checks by tampering with the URL
- Allowing the primary key to be changed to another user's record, and allowing viewing or editing someone else's account
- Escalating privileges