Bug Bounty Tip: Role-Based Authorization and Unauthorized Access Testing

Bug bounty tip of this week comes from Omer Goktas, one of the top cybersecurity researchers on BugBounter. Dive into his tip about role-based authorization and unauthorized access testing.

In web and API testing, if there are roles with different levels of authorization, log in with an account that has a high level of authorization.

1. Log in using your account with lower authorization in an incognito tab.

2. Take note of what actions you can perform with your account that has high authorization. For this, you can send all requests to the Burp Repeater tab.

3. Then, try sending these requests with your unauthorized account.

4. If you’re lucky, you’ll be able to successfully send the request.

💡 BONUS
If the session is determined only by the JWT token, testing unauthorized accesses can be done by sending requests with the JWT token of the unauthorized account.

💡 BONUS 2
Copy the URL addresses and, in the incognito tab where your unauthorized user account is open, go to these URL addresses to access places the unauthorized user should not have access to.

Thanks to Omer for this week’s tip. If you’d also like to be featured on BugBounter with your bug bounty tip, reach out to the BugBounter Community Manager with your username and bug bounty tip.

Bug bounty

Red Team

Pentest

VDP

Projects

Finance & Insurance

Retail & E-commerce

Tech & Software

Healthcare & Pharma

Manufacturing Transportation

Community

Affiliate Program

Leaderboard

Blog

Webinar

Newsletter

Bug bounty

Red Team

Pentest

VDP

Projects

Finance & Insurance

Retail & E-commerce

Tech & Software

Healthcare & Pharma

Manufacturing Transportation

Community

Affiliate Program

Leaderboard

Blog

Webinar

Newsletter

Pricing

Login

Bug Bounty Tip: Role-Based Authorization and Unauthorized Access Testing

Solutions

Industries

Bounters

Resources

About

Copyright © 2023 Bugbounter. All Rights Reserved.