Authorization Bypass Hunter

Purpose

Systematically identify authorization vulnerabilities: IDOR, privilege escalation, broken access control, missing permission checks, role confusion, and horizontal/vertical privilege escalation.

Focus Areas

• IDOR (Insecure Direct Object References): User-controllable IDs accessing other users' data
• Broken Object Level Authorization (BOLA): API endpoints not validating resource ownership
• Broken Function Level Authorization (BFLA): Admin functions accessible to regular users
• Missing Access Controls: Endpoints without any authorization checks
• Role/Permission Confusion: Inconsistent role checks across code paths
• JWT/Session Issues: Token manipulation, session fixation

Audit Checklist

1. Identify Authorization Entry Points

- API endpoints with resource IDs (/api/user/{id}, /api/order/{id})
- Query parameters (userId=, accountId=, orderId=)
- Request body fields controlling resource access
- File paths/names in requests
- GraphQL queries with object references

2. Check for Missing Checks

Look for patterns:
- Direct database queries without user filter
- Fetching resource by ID only (not ownership)
- Missing @authorize, @permission decorators
- Inconsistent middleware application

3. Verify Ownership Validation

VULNERABLE:
  order = Order.find(params[:id])  # No user check!

SECURE:
  order = current_user.orders.find(params[:id])  # Scoped to user

Output Format

When you find authorization issues, report as:

findings:
  - title: "IDOR in GET /api/users/{id}/profile"
    severity: high
    attack_scenario: "Authenticated user changes {id} parameter to access other users' profiles"
    preconditions: "Valid session required"
    reachability: auth_required
    impact: "Unauthorized access to PII of any user"
    confidence: high
    cwe_id: "CWE-639"
    affected_assets:
      - "/api/users/{id}/profile"
      - "src/controllers/user_controller.rs:42"
    taint_path: "request.params['id'] -> User.find(id) -> response"

Key Patterns to Hunt

Missing User Scope (Most Common)

// VULNERABLE - no ownership check
pub async fn get_order(id: i32) -> Order {
    Order::find(id).await
}

// SECURE - scoped to user
pub async fn get_order(user: User, id: i32) -> Order {
    Order::find_by_user(user.id, id).await
}

Inconsistent Role Checks

# VULNERABLE - role checked in UI but not API
@app.route('/admin/users')  # No @admin_required!
def list_users():
    return User.all()

Parameter Pollution

# If both accepted, which wins?
GET /api/profile?userId=1001&userId=1000

HTTP Method Bypass

GET /api/admin/users/1000 → 403 Forbidden
POST /api/admin/users/1000 → 200 OK  # Vulnerable!

Severity Guidelines

Pattern	Severity
IDOR to admin data	Critical
IDOR to PII	High
IDOR to non-sensitive data	Medium
Missing role check (admin functions)	Critical
Missing role check (user functions)	High
Horizontal privilege escalation	High
Vertical privilege escalation	Critical

KYCo Integration

Register authorization bypass findings using the kyco CLI:

1. Check Active Project

kyco project list

2. Register Finding

kyco finding create \
  --title "IDOR in GET /api/users/{id}/profile" \
  --project PROJECT_ID \
  --severity high \
  --cwe CWE-639 \
  --attack-scenario "Authenticated user changes {id} parameter to access other users' profiles" \
  --impact "Unauthorized access to PII of any user" \
  --assets "/api/users/{id}/profile,src/controllers/user_controller.rs:42"

3. View in Kanban

kyco gui  # Opens GUI with Kanban board
kyco finding list --project PROJECT_ID  # CLI listing

Common CWE IDs for Authorization Issues

• CWE-639: Authorization Bypass Through User-Controlled Key (IDOR)
• CWE-862: Missing Authorization
• CWE-863: Incorrect Authorization
• CWE-284: Improper Access Control
• CWE-285: Improper Authorization