20_authz_access_control.sh — PQCrypta Pentest Suite

1	#!/bin/bash
2	# Authorization & Access Control
3	# Vertical/horizontal privilege escalation, IDOR, mass assignment, forced browsing
4	SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
5	source "$SCRIPT_DIR/../config.sh"
6	OUT="$OUT/authz_access_control"
7	mkdir -p "$OUT"
8
9	echo '=== AUTHORIZATION & ACCESS CONTROL ===' \| tee "$OUT/summary.txt"
10
11	BROWSER="$BROWSER_UA"
12
13	# ── 1. Vertical Privilege Escalation ─────────────────────────────────────────
14	echo '' \| tee -a "$OUT/summary.txt"
15	echo '--- Vertical Privilege Escalation (user → admin) ---' \| tee -a "$OUT/summary.txt"
16	ADMIN_PATHS=("/admin" "/admin/users" "/admin/config" "/admin/logs" "/admin/keys"
17	"/api/admin" "/api/v1/admin" "/management" "/superadmin"
18	"/internal" "/internal/metrics" "/internal/config" "/debug" "/actuator")
19	for path in "${ADMIN_PATHS[@]}"; do
20	resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 8 -A "$BROWSER" "$API_TARGET$path")
21	[ "$resp" = "200" ] && echo " [!!!] EXPOSED: $path ($resp)" \|\| echo " [PASS] $path → $resp" \| tee -a "$OUT/summary.txt"
22	done
23
24	# ── 2. IDOR — Object Reference Enumeration ────────────────────────────────────
25	echo '' \| tee -a "$OUT/summary.txt"
26	echo '--- IDOR Enumeration ---' \| tee -a "$OUT/summary.txt"
27	# Try sequential IDs, UUIDs, and common patterns
28	for id in "1" "2" "3" "0" "-1" "admin" "00000000-0000-0000-0000-000000000001" "null" "undefined"; do
29	for ep in "/users/$id" "/keys/$id" "/api/keys/$id" "/api/users/$id" "/account/$id"; do
30	resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 6 -A "$BROWSER" "$API_TARGET$ep")
31	[ "$resp" = "200" ] && echo " [!!!] IDOR: $ep returned 200" \| tee -a "$OUT/summary.txt"
32	done
33	done
34	echo " IDOR sweep complete" \| tee -a "$OUT/summary.txt"
35
36	# ── 3. Horizontal Privilege Escalation — Parameter Tampering ────────────────
37	echo '' \| tee -a "$OUT/summary.txt"
38	echo '--- Horizontal Escalation (parameter tampering) ---' \| tee -a "$OUT/summary.txt"
39	for user_param in "user_id=2&user_id=1" "userId=00000000-0000-0000-0000-000000000002" "account_id=1"; do
40	resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 8 -A "$BROWSER" \
41	"$API_TARGET/keys/generate?$user_param")
42	echo " [$resp] GET /keys/generate?$user_param" \| tee -a "$OUT/summary.txt"
43	done
44
45	# ── 4. Mass Assignment ────────────────────────────────────────────────────────
46	echo '' \| tee -a "$OUT/summary.txt"
47	echo '--- Mass Assignment ---' \| tee -a "$OUT/summary.txt"
48	# Inject admin/role fields into normal API requests
49	PAYLOADS=(
50	'{"algorithm":"classical","role":"admin","is_admin":true,"privilege_level":9999}'
51	'{"algorithm":"hybrid","_isAdmin":true,"__proto__":{"admin":true}}'
52	'{"algorithm":"ml-kem-1024","user_id":"admin","override":true,"bypass_auth":true}'
53	)
54	for payload in "${PAYLOADS[@]}"; do
55	resp=$(curl -sk -o "$OUT/mass_assign.txt" -w '%{http_code}' --max-time 8 -A "$BROWSER" \
56	-X POST -H 'Content-Type: application/json' -d "$payload" "$API_TARGET/keys/generate")
57	grep -qi '"role"\s:\s"admin"\\|"is_admin"\s:\strue\\|admin.*true' "$OUT/mass_assign.txt" && \
58	echo " [!!!] Mass assignment reflected: $resp" \|\| echo " [PASS] $resp — mass assign fields not reflected" \| tee -a "$OUT/summary.txt"
59	done
60
61	# ── 5. Forced Browsing / Directory Traversal to Restricted Resources ─────────
62	echo '' \| tee -a "$OUT/summary.txt"
63	echo '--- Forced Browsing ---' \| tee -a "$OUT/summary.txt"
64	RESTRICTED=(
65	"/api/internal" "/api/private" "/api/secret"
66	"/vault" "/keys/master" "/keys/root"
67	"/config/secrets" "/env" "/.env"
68	"/backup" "/restore" "/export"
69	"/health/detailed" "/metrics/internal" "/stats/admin"
70	)
71	for path in "${RESTRICTED[@]}"; do
72	resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 8 -A "$BROWSER" "$API_TARGET$path")
73	[ "$resp" = "200" ] && echo " [!!!] EXPOSED: $path" \|\| echo " [PASS] $path → $resp" \| tee -a "$OUT/summary.txt"
74	done
75
76	# ── 6. HTTP Method Authorization Bypass ──────────────────────────────────────
77	echo '' \| tee -a "$OUT/summary.txt"
78	echo '--- Method-based Authz Bypass ---' \| tee -a "$OUT/summary.txt"
79	for method in "GET" "POST" "PUT" "PATCH" "DELETE" "HEAD" "OPTIONS"; do
80	resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 8 -A "$BROWSER" \
81	-X "$method" "$API_TARGET/keys/generate")
82	echo " [$resp] $method /keys/generate" \| tee -a "$OUT/summary.txt"
83	done
84
85	# ── 7. API Version Downgrade (older version may have weaker auth) ─────────────
86	echo '' \| tee -a "$OUT/summary.txt"
87	echo '--- API Version Downgrade ---' \| tee -a "$OUT/summary.txt"
88	for ver in "/v0" "/v1" "/v2" "/v3" "/beta" "/legacy" "/old"; do
89	resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 8 -A "$BROWSER" \
90	"$API_TARGET$ver/encrypt")
91	echo " [$resp] $ver/encrypt" \| tee -a "$OUT/summary.txt"
92	done
93
94	# ── 8. GraphQL Introspection & BOLA ──────────────────────────────────────────
95	echo '' \| tee -a "$OUT/summary.txt"
96	echo '--- GraphQL Introspection ---' \| tee -a "$OUT/summary.txt"
97	resp=$(curl -sk -o "$OUT/graphql.txt" -w '%{http_code}' --max-time 8 -A "$BROWSER" \
98	-X POST -H 'Content-Type: application/json' \
99	-d '{"query":"{__schema{types{name}}}"}' \
100	"$API_TARGET/graphql")
101	grep -qi '__schema\\|__type' "$OUT/graphql.txt" && \
102	echo " [!!!] GraphQL introspection ENABLED ($resp)" \|\| echo " [PASS] GraphQL introspection blocked/absent ($resp)" \| tee -a "$OUT/summary.txt"
103
104	cat "$OUT/summary.txt"
105

AUTONOMY DIRECTORATE

🏠 Main

🧪 Interactive Apps

📰 News

📚 Documents ▼

🛡️ PQ Crypta Proxy

🎓 Educational Animations ▼

👤 Account

🧬 Company & Legal ▼

🛠️ Utilities ▼

🛡️ Security ▼

🚧 Under Development ▼

⟨ QUANTUM ERROR PORTAL ⟩

Script Viewer