Broken Access control bug : Bypassing 403’s by finding another endpoint that do the same thing.

Hi. I found a really interesting bug in my private program and i want to share it through this writeup. Lets get started.

I was testing all the functionalities of this website and found this one interesting request when editing the residents

We can see in the response that there is an interesting parameter called moved in. I tried including it in the request and setting it to true hoping it would change the value of that parameter and it works

So now, we can move in/move out residents if we have an update permission. Normally, that wouldnt be a bug, but in this program, editing residents and moving in/moving out are on different permissions. I tried it again but this time, i remove the move in/move out permission

And it still works. It still allows me to move in/move out residents if we have update permission. Normally, moving in/moving out users is done in a different endpoint, if we tried it out, it will not work, because we have no permission to move in/move out as expected.

So this is a neat little bypass.

Thanks for reading.

Join the discord server:




Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

CA File Master Plus Portable Software Instance and Configuration Workflow

A Quick Tour of 7 Google Cloud Service for Data Engineering and Analytics

Creating a .Net Core 2.0 Red Hat container without using S2I

Fixing Git Merge Conflicts

Object Relational Mappers: Entity Framework vs. Dapper

[How-to] Deploy Spring Boot 2.x apps on WebSphere 8.5.5

Unity3d Foundations: Creating & Destroying Game Objects

Github Arctic Code Vault Contributor

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Brandon Roldan

Brandon Roldan

More from Medium

Bypassing CSRF token protection by abusing a misconfigured CORS policy

Everything About Path Traversal Vulnerability

$$$ Bank 🏦Verification Bypass(Broken Object Level Authorisation)

Broken Link Hijacking - Mr. User-Agent