Autoplay
Autocomplete
Previous Lesson
Complete and Continue
Access Control Vulnerabilities
Introduction
Course Introduction (2:16)
Course Slides and Scripts
Getting Help
Answering Your Questions (3:11)
Join the Discord Server
Access Control Vulnerabilities - Technical Deep Dive
Agenda (0:45)
What is an Access Control Vulnerability (20:24)
How to Find Access Control Vulnerabilities (7:38)
How to Exploit Access Control Vulnerabilities (4:12)
How to Prevent Access Control Vulnerabilities (4:19)
Additional Resources (0:16)
Lab Environment Setup
Lab Environment Setup (7:21)
Step-by-Step Guide
Hands-On Access Control Vulnerabilities Labs
Lab #1 Unprotected admin functionality (15:06)
Lab #2 Unprotected admin functionality with unpredictable URL (22:56)
Lab #3 User role controlled by request parameter (23:42)
Lab #4 User role can be modified in user profile (21:39)
Lab #5 URL-based access control can be circumvented (15:23)
Lab #6 Method-based access control can be circumvented (17:23)
Lab #7 User ID controlled by request parameter (21:24)
Lab #8 User ID controlled by request parameter, with unpredictable user IDs (29:18)
Lab #9 User ID controlled by request parameter with data leakage in redirect (21:36)
Lab #10 User ID controlled by request parameter with password disclosure (27:13)
Lab #11 Insecure direct object references (22:44)
Lab #12 Multi-step process with no access control on one step (16:25)
Lab #13 Referer-based access control (14:15)
Thank You!
Thank You!
Course Introduction
Complete and Continue