Access Control

Written By TheDarkMentor

If we begin talking about access control we have to start first with the idea of authentication and authorization. (I would add accountability but I do not think its necessary in this post).

• Authentication is confirming a user is who they say they are.

• Authorization permits a user to access only what their permissions allow. (i.e. if you have only read permissions then you can only read something and not execute it)

So, that being said you may now have an understanding of where are are going with this.

With this idea in mind you may be able to find pages that take you to an admin panel. It may be even possible to change from user to admin by simply playing with the url if there are not controls in place to stop that kind of manipulation.

Reconnaissance with tools like dirsearch, gobuster, ffuf etc would be a good start in helping find hidden directories that may lead you to admin panels. Something like below may give you a good indicator of a hidden directory.

(I could probably add pictures to this blog post but its 12:30 am and I just got off work and I am lazy lol sorry for not putting more effort into it. )

Ex: https://insecure-website.com/administrator-panel-yb556

It is always a good idea to see if you can find a hidden directory boasting an admin panel sometimes it can be an easy win with default credentials such as admin-admin or something silly like that.

Remember, cybersecurity is an ongoing process that requires continuous monitoring, assessment, and improvement of access control mechanisms to stay ahead of those filthy black hats. Remember all companies are tech companies today and it is NOT a matter of IF you get hacked but WHEN.