This was my second attempt at finding areas I needed to practice in, specifically related to cybersecurity skills โ particularly Vulnerability Remediation.
Before I get into how I strengthened the access control, I want to first explain the method I used to exploit a vulnerability in one of my own web apps.
My Experiment (Ethical Practice)
I acted exactly as a hacker would to try and gain access to certain services of my web app.
Important: Before proceeding further and sharing my experimental experience โ please never apply such knowledge to someone elseโs projects, web apps, or services without proper consent. Always do this only for learning and exploring vulnerabilities in your own environment.
How I Exploited My Own App
Targeting Admin Routes I went to the admin routes (pages) of the targeted web app and opened the Network tab in Chrome DevTools. From there, I examined the requests โ pages, scripts, and other files โ and was able to understand the JavaScript logic used to call APIs like updateData and savePortfolioData.
Identifying Admin-Level APIs You can usually guess admin-level API functions by inspecting the client side:
Payload Analysis I captured the payloads received from client-side APIs to see what data was coming in. After slightly modifying this data, I tested it in Postman.
Executing the Exploit By changing the payload structure, I was able to get a 200 OK response after updating the data. โ Result: I had gained access to admin-level functions/panel on my own app.
A Surprising Finding: CORS Didnโt Interfere
I was a little surprised that CORS didnโt block me at all. After researching, I found that CORS is enforced in browsers, whereas tools like Postman or local requests bypass browser restrictions โ making such API calls less likely to be blocked for attackers.
The Root Cause
If you havenโt implemented middlewares like:
Token verification (checkToken)
Role verification (checkRoles)
โฆthen your API routes can be abused by any regular user, customer, or even a random visitor.
The Fix (My Cybersecurity Patch)
In my remediation process, I ensured that:
All role-specific routes require both token validation and role validation.
Only authorized roles can access admin functions.
By doing this, I prevented normal/non-admin users from exploiting those API routes.
Key Takeaway
Broken Access Control is one of the most critical vulnerabilities in web apps. Even if your front-end hides admin options, your APIs must be secured with proper authentication and authorization โ otherwise, itโs just a matter of time before someone finds and abuses them.
Final Thoughts
This was a valuable learning experience for me โ not only did I strengthen my appโs security, but I also sharpened my vulnerability remediation skills by patching a flaw I had personally exploited in a safe environment.
๐ก My Tip for Developers:
Always secure your APIs as if your front-end doesnโt exist. If your backend canโt trust the request source, it shouldnโt execute sensitive actions.
Top comments (0)