Authorization and Access control

Horizontal Privilege Escalation (IDOR)

Test Cases:
1. Manipulate user ID parameters
   GET /api/user/123/profile  →  GET /api/user/124/profile
   
2. Manipulate object IDs
   GET /api/orders/1001  →  GET /api/orders/1002
   
3. Try different HTTP methods
   If GET blocked, try POST/PUT/DELETE
   
4. Parameter pollution
   /api/user?id=123&id=124
   
5. Array manipulation
   /api/users?id[]=123&id[]=124
   
6. UUID/GUID prediction
   If using UUIDs, check if predictable

Automated Testing

# Autorize (Burp extension) - automatically test authorization
# Or use custom script:
for i in {1..1000}; do
  curl -H "Cookie: session=YOUR_SESSION" https://target.com/api/user/$i/profile
done

Vertical Privilege Escalation

Test Cases:
1. Access admin endpoints as regular user
   /admin, /api/admin, /administrator
   
2. Role parameter manipulation
   POST /api/user/update
   {"role": "admin", "email": "attacker@evil.com"}
   
3. Mass assignment
   POST /api/register
   {"username": "test", "password": "test", "is_admin": true}
   
4. GraphQL field manipulation
   query { user { id, email, role, is_admin } }
   
5. Cookie/JWT role manipulation
   Change role: user → admin in JWT payload