Hello Everyone! Thank you for following this series and following me, I am very close to 1000 followers.

This is the part 04 of the series, and we are going to start the main app methodology to find the bugs. This is going to be a long one so get Ready!

So the first thing we are gonna start is with Identity Role Testing

So as you know that every website or application has different roles, in this section we are going to test that.

We will test 3 things in this:

• Test Role Definitions
• Test User Registration Process
• Testing for Account Enumeration and Guessable User Account

Test Role Definitions:

Every application have functionalities and services which required different permission and roles.

For example in Medium we have

• Writer
• Author
• User
• Member
• Admin

and maybe some other roles which all have different permisions, like a normal user cannot access the member-only stories.

So here is when we have to think like a hacker, like what could be the things you would want as an attacker for example Reading members-only stories without being a member. (This is only for example purpose, I am not actually doing this on Medium!)

So for these types of bugs we need to test Role definition

Our Objectives:

1. Identify the different roles used by the application.
2. Attempt to switch, change or access another role.
3. Check how detailed the roles are and why certain permissions are given.

Steps To Test:

So first, You need to identify the available roles, So we are going to go through the application, use it like a normal user and identify the different roles and make notes of the functionalities and the users who have the permissions to use it.

1. Identify the roles and make notes for example like above image I made an example mindmap of medium roles and the functionalities
2. You can also Identify the roles through any website guide or manual or documentation provided by them.
3. You can also Fuzz possible roles:

• cookie variable (e.g. role=admin , isAdmin=True )
• account variable (e.g. Role: manager )
• hidden directories or files (e.g. /admin , /mod , /backups )
• switching to well known users (e.g. admin , backups , etc.)

4. Now you need to test if you can switch the roles, you can practice the labs for this here: https://portswigger.net/web-security/access-control, for example a normal user shouldn’t be able to access the admin functionalities.

5. After gaining access to the roles on the system, you must understand the permissions provided to each role.

6. A good tool to test this is Burp’s Autorize extension.

Example Report

We are going to see this report: https://hackerone.com/reports/1539426

Submitted by,
nayefhamouda to UPS VDP on April 13, 2022, 5:29am UTC

Here first the tester goes to the target website and click on forgot password, then Enter any email address, then intercept the request and its response.

Then he changed the status value from false to true

After this he could access the user and his reports, and the bug was triaged.

Test User Registration Process

As you know most of the applications offers a user registeration and and login process that automates or semi automates, Many public applications completely automate the registration and provisioning process because the size of the user base makes it impossible to manage manually.

Our Objectives:

• Verify that the identity requirements for user registration are aligned with business and security requirements.
• Validate the registration process.

Steps To Test:

So we can ask some questions to ourself to validate the registeration process:

1. Can anyone register for access?
2. Can the same person or identity register multiple times?
3. Can users register for different roles or permissions?
4. What proof of identity is required for a registration to be successful?
5. Are registered identities verified?
6. Can identity information be easily forged or faked?
7. Can the exchange of identity information be manipulated during registration?

For Example in Medium To register, we need mail

But it also sends a confirmation code to register, which is a good security practice

Whereas in many websites it doesn’t verify the email and lets you register with any email. Similarly check the other questions.

Example Report:

So for example report we are going to take https://hackerone.com/reports/875049 submitted by dianeme_ on May 15, 2020 on the program U.S. Dept Of Defense

So here the tester explains how he was able to bypass email filter and was able to use Non Accepted Email Types. Many goverment applications allow only gov domain emails for security purposes and doesn’t allow normal domains.

Here first he went to the target website. Then he used the normal gov domain and intercepted the request in burpsuite, then he changed the email parameter to a normal email. And he bypassed it!!

Testing for Account Enumeration and Guessable User Account

Often, web applications reveal when a username exists on system. For example, sometimes, when we submit wrong credentials, we receive a message that states that either the username is present on the system or the provided password is wrong. The information obtained can be used by to gain a list of users on system.

Test Objectives:

• Review processes that pertain to user identification (e.g. registration, login, etc.).
• Enumerate users where possible through response analysis.

Steps To Test:

1. Record the server answer when you submit a valid user ID and valid password.
2. Now, try to insert a valid user ID and a wrong password and record the error message generated by the application. Using a web proxy, notice the information retrieved from this unsuccessful authentication attempt.
3. Testing for a Nonexistent Username: Now, try to insert an invalid user ID and a wrong password and record the server answer Record the error message and the server answer.

Example Report:

For example we are going to take report: https://hackerone.com/reports/1166054 submitted by
mohanad987 to UPachieve on April 15, 2021, 9:54pm UTC

Here we can see that the tester explains how he was able to enumerate users emails, First he went to the target domain then used the forgot password function, Then he submitted a random email and intercepted the request by burpsuite and in the response he got revealed that there is no account with that id found.

The Types of bugs that comes under these all 3 tests are:

1. Privilege Escalation
2. Role-Based Access Control (RBAC) Bypass
3. Insecure Direct Object References (IDOR)
4. Session Management Issues
5. Inadequate Multi-Factor Authentication (MFA)
6. Improper User Authentication
7. Misconfigured Permissions
8. User Enumeration

Thats it for this blog, Thank you for reading till the end, I hope it helped you in some way.

This was one of hardest to write blog for me, so I’d appreciate it if you could share your thoughts in the comments and let me know if you liked this method. Feel free to provide honest feedback and any advice you might have.

In the next blog we will learn about Authentication.

This topic is very long so we will have 2 parts.

If you want any resources or have any queries free to dm me on instagram:

https://www.instagram.com/om._.arora1603/

Email: [email protected]

Twitter: https://x.com/om83418440

You can also connect with me on linkedin:

https://www.linkedin.com/in/om-arora-b88340213/

Please Consider following and liking if you found it helpful.

You can also support me through: