#!/bin/bash # Authorization & Access Control # Vertical/horizontal privilege escalation, IDOR, mass assignment, forced browsing SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" source "$SCRIPT_DIR/../config.sh" OUT="$OUT/authz_access_control" mkdir -p "$OUT" echo '=== AUTHORIZATION & ACCESS CONTROL ===' | tee "$OUT/summary.txt" BROWSER="$BROWSER_UA" # ── 1. Vertical Privilege Escalation ───────────────────────────────────────── echo '' | tee -a "$OUT/summary.txt" echo '--- Vertical Privilege Escalation (user → admin) ---' | tee -a "$OUT/summary.txt" ADMIN_PATHS=("/admin" "/admin/users" "/admin/config" "/admin/logs" "/admin/keys" "/api/admin" "/api/v1/admin" "/management" "/superadmin" "/internal" "/internal/metrics" "/internal/config" "/debug" "/actuator") for path in "${ADMIN_PATHS[@]}"; do resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 8 -A "$BROWSER" "$API_TARGET$path") [ "$resp" = "200" ] && echo " [!!!] EXPOSED: $path ($resp)" || echo " [PASS] $path → $resp" | tee -a "$OUT/summary.txt" done # ── 2. IDOR — Object Reference Enumeration ──────────────────────────────────── echo '' | tee -a "$OUT/summary.txt" echo '--- IDOR Enumeration ---' | tee -a "$OUT/summary.txt" # Try sequential IDs, UUIDs, and common patterns for id in "1" "2" "3" "0" "-1" "admin" "00000000-0000-0000-0000-000000000001" "null" "undefined"; do for ep in "/users/$id" "/keys/$id" "/api/keys/$id" "/api/users/$id" "/account/$id"; do resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 6 -A "$BROWSER" "$API_TARGET$ep") [ "$resp" = "200" ] && echo " [!!!] IDOR: $ep returned 200" | tee -a "$OUT/summary.txt" done done echo " IDOR sweep complete" | tee -a "$OUT/summary.txt" # ── 3. Horizontal Privilege Escalation — Parameter Tampering ──────────────── echo '' | tee -a "$OUT/summary.txt" echo '--- Horizontal Escalation (parameter tampering) ---' | tee -a "$OUT/summary.txt" for user_param in "user_id=2&user_id=1" "userId=00000000-0000-0000-0000-000000000002" "account_id=1"; do resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 8 -A "$BROWSER" \ "$API_TARGET/keys/generate?$user_param") echo " [$resp] GET /keys/generate?$user_param" | tee -a "$OUT/summary.txt" done # ── 4. Mass Assignment ──────────────────────────────────────────────────────── echo '' | tee -a "$OUT/summary.txt" echo '--- Mass Assignment ---' | tee -a "$OUT/summary.txt" # Inject admin/role fields into normal API requests PAYLOADS=( '{"algorithm":"classical","role":"admin","is_admin":true,"privilege_level":9999}' '{"algorithm":"hybrid","_isAdmin":true,"__proto__":{"admin":true}}' '{"algorithm":"ml-kem-1024","user_id":"admin","override":true,"bypass_auth":true}' ) for payload in "${PAYLOADS[@]}"; do resp=$(curl -sk -o "$OUT/mass_assign.txt" -w '%{http_code}' --max-time 8 -A "$BROWSER" \ -X POST -H 'Content-Type: application/json' -d "$payload" "$API_TARGET/keys/generate") grep -qi '"role"\s*:\s*"admin"\|"is_admin"\s*:\s*true\|admin.*true' "$OUT/mass_assign.txt" && \ echo " [!!!] Mass assignment reflected: $resp" || echo " [PASS] $resp — mass assign fields not reflected" | tee -a "$OUT/summary.txt" done # ── 5. Forced Browsing / Directory Traversal to Restricted Resources ───────── echo '' | tee -a "$OUT/summary.txt" echo '--- Forced Browsing ---' | tee -a "$OUT/summary.txt" RESTRICTED=( "/api/internal" "/api/private" "/api/secret" "/vault" "/keys/master" "/keys/root" "/config/secrets" "/env" "/.env" "/backup" "/restore" "/export" "/health/detailed" "/metrics/internal" "/stats/admin" ) for path in "${RESTRICTED[@]}"; do resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 8 -A "$BROWSER" "$API_TARGET$path") [ "$resp" = "200" ] && echo " [!!!] EXPOSED: $path" || echo " [PASS] $path → $resp" | tee -a "$OUT/summary.txt" done # ── 6. HTTP Method Authorization Bypass ────────────────────────────────────── echo '' | tee -a "$OUT/summary.txt" echo '--- Method-based Authz Bypass ---' | tee -a "$OUT/summary.txt" for method in "GET" "POST" "PUT" "PATCH" "DELETE" "HEAD" "OPTIONS"; do resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 8 -A "$BROWSER" \ -X "$method" "$API_TARGET/keys/generate") echo " [$resp] $method /keys/generate" | tee -a "$OUT/summary.txt" done # ── 7. API Version Downgrade (older version may have weaker auth) ───────────── echo '' | tee -a "$OUT/summary.txt" echo '--- API Version Downgrade ---' | tee -a "$OUT/summary.txt" for ver in "/v0" "/v1" "/v2" "/v3" "/beta" "/legacy" "/old"; do resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 8 -A "$BROWSER" \ "$API_TARGET$ver/encrypt") echo " [$resp] $ver/encrypt" | tee -a "$OUT/summary.txt" done # ── 8. GraphQL Introspection & BOLA ────────────────────────────────────────── echo '' | tee -a "$OUT/summary.txt" echo '--- GraphQL Introspection ---' | tee -a "$OUT/summary.txt" resp=$(curl -sk -o "$OUT/graphql.txt" -w '%{http_code}' --max-time 8 -A "$BROWSER" \ -X POST -H 'Content-Type: application/json' \ -d '{"query":"{__schema{types{name}}}"}' \ "$API_TARGET/graphql") grep -qi '__schema\|__type' "$OUT/graphql.txt" && \ echo " [!!!] GraphQL introspection ENABLED ($resp)" || echo " [PASS] GraphQL introspection blocked/absent ($resp)" | tee -a "$OUT/summary.txt" cat "$OUT/summary.txt"