Authorization Bypass

One-liner: Exploiting flaws in access control logic to perform actions or access resources without proper permissions.

🎯 What Is It?

Authorization Bypass occurs when an attacker circumvents access control mechanisms to gain unauthorized access to functionality, data, or resources. Unlike Authentication failures (proving who you are), authorization bypass exploits failures in checking what you're allowed to do after you're authenticated.

This is a critical component of Broken Access Control (OWASP #1 vulnerability).

📊 Authorization vs Authentication

Authentication: "WHO are you?"
  → Login with username/password
  → "You are Alice"

Authorization: "WHAT can you do?"
  → Can Alice access /admin/delete-user?
  → NO (not admin) → 403 Forbidden
  → Bypass: Manipulate request to succeed anyway

⚔️ Common Bypass Techniques

1. Direct Object Reference

See: Insecure Direct Object Reference (IDOR)

Legitimate:
GET /api/user/123/profile  ← Your profile

Bypass:
GET /api/user/456/profile  ← Someone else's profile

Exploit: Change user ID to access other users' data.

2. Parameter Manipulation

Example 1: Privilege Escalation

Request:
POST /api/update-profile
Content-Type: application/json

{
  "username": "alice",
  "role": "admin"  ← Add admin role
}

If backend doesn't validate, Alice becomes admin.

Example 2: Hidden Parameters

Legitimate:
POST /checkout
price=100&item=widget

Bypass:
POST /checkout
price=1&item=widget  ← Change price

3. HTTP Method Manipulation

Blocked:
GET /admin/delete-user?id=123
→ 403 Forbidden

Bypass:
POST /admin/delete-user
id=123

→ 200 OK (method not checked)

Or try:

• PUT, DELETE, PATCH
• HEAD, OPTIONS, TRACE

4. Path Traversal / URL Manipulation

Legitimate:
/user/profile

Bypass attempts:
/user/../admin/profile
/admin/profile
/user/profile?admin=true
/user/profile%20%20%20  (trailing spaces)

5. Missing Function-Level Access Control

Scenario:
  - Regular user shouldn't access /admin panel
  - BUT: /admin/reports endpoint not protected

Exploit:
  - User navigates to /admin/reports
  - Backend forgets to check authorization
  - User accesses sensitive reports

6. Client-Side Enforcement Only

// Frontend hides admin button for non-admins
if (user.role !== 'admin') {
  hideElement('#deleteUserButton');
}

// BUT: API endpoint not protected
DELETE /api/users/123
→ Works anyway (client-side check only)

Exploit: Use Burp Suite, cURL, or browser dev tools to call API directly.

7. Token/Cookie Manipulation

Scenario:
Cookie: role=user

Bypass:
Cookie: role=admin  ← Change cookie value

If backend trusts cookie without verification → privilege escalation.

8. Race Conditions

# Vulnerable code
def withdraw_money(user_id, amount):
    balance = get_balance(user_id)
    if balance >= amount:
        # Race condition window here
        deduct_balance(user_id, amount)
        return "Success"

Exploit: Send multiple simultaneous requests to withdraw more than balance.

9. Multi-Step Process Bypass

Normal flow:
1. Request privilege escalation
2. Admin approves
3. System grants privileges

Bypass:
  - Skip step 2
  - Directly call step 3 API endpoint

💡 Real-World Examples

Example 1: GitHub Enterprise (2020)

Vulnerability: Authorization bypass via path traversal
Impact: Access to private repositories
Exploit: /repo/../../other-private-repo

Example 2: Facebook (2018)

Vulnerability: View As feature authorization flaw
Impact: Access tokens for 50M users compromised
Exploit: Chained bugs in access token generation

Example 3: Tesla (Bug Bounty)

Vulnerability: IDOR in vehicle management API
Impact: Control other users' vehicles
Exploit: Change vehicle VIN in API request

🛡️ Prevention & Secure Coding

1. Server-Side Validation (ALWAYS)

# BAD: Client-side only
if user.role == 'admin':  # JavaScript (bypassable)
    show_admin_panel()

# GOOD: Server-side enforcement
@require_role('admin')  # Backend decorator
def admin_panel():
    # Protected endpoint
    pass

2. Deny by Default

# BAD: Allow unless explicitly denied
if user.role != 'banned':
    allow_access()

# GOOD: Deny unless explicitly allowed
if user.role == 'admin':
    allow_access()
else:
    raise Unauthorized()

3. Validate on Every Request

# BAD: Check once at login
def login(user):
    session['is_admin'] = user.role == 'admin'

# Later: Trust session (can be tampered)
if session['is_admin']:
    delete_user()

# GOOD: Check every request
def delete_user(user_id):
    if not current_user.has_permission('delete_user'):
        raise Unauthorized()
    # Proceed

4. Use Secure References

# BAD: Predictable IDs
/api/user/1
/api/user/2

# GOOD: Unpredictable tokens
/api/user/7f3e5c2a-9b1d-4e6f-8c0a-3d2f1b4e5c6a

5. Implement Role-Based Access Control (RBAC)

class User:
    def has_permission(self, resource, action):
        return self.role.can(action, resource)

# Usage
if not current_user.has_permission('user', 'delete'):
    return 403

6. Log Authorization Failures

def check_authorization(user, resource):
    if not user.can_access(resource):
        log.warning(f"Authorization bypass attempt: {user.id} → {resource}")
        raise Unauthorized()

🔍 Testing for Authorization Bypass

Manual Testing

1. Create two accounts: admin + regular user
2. Identify admin-only endpoints
3. Test access with regular user session
4. Try:
   - Direct URL access
   - Parameter manipulation
   - HTTP method changes
   - IDOR attacks

Burp Suite Testing

1. Login as regular user
2. Identify admin request in proxy history
3. Send to Repeater
4. Replace admin session with user session
5. Check if request succeeds (bypass!)

Automated Testing

# OWASP ZAP
zap-cli quick-scan --spider http://target.com \
  --auth-form http://target.com/login \
  --auth-user user@example.com --auth-pass password

# Burp Suite Active Scan
# Checks for authorization issues automatically

🎤 Interview Angles

Q: What is authorization bypass and how does it differ from authentication bypass?

• Authentication: Proving identity (login)
• Authorization: Checking permissions (what you can do)
• Authorization Bypass: Circumventing permission checks to access unauthorized resources
• Example: Logged in as regular user, manipulate request to access admin panel

Q: How would you test for authorization bypass vulnerabilities?

STAR Example:
Situation: Testing web app with admin and user roles.
Task: Find authorization flaws.
Action:

• Created admin account and mapped all admin endpoints
• Logged in as regular user
• Used Burp Suite to replay admin requests with user session
• Tested IDOR by changing user IDs in requests
• Tried HTTP method manipulation (GET → POST)
  Result: Found 3 endpoints with missing authorization checks; reported to dev team; fixed before production.

Q: What's the most common authorization bypass you've seen?

• IDOR (changing user IDs in URLs/APIs)
• Client-side only enforcement (hiding buttons but not protecting APIs)
• Missing function-level access control (forgot to protect certain endpoints)
• Parameter manipulation (adding role=admin to requests)

Q: How do you prevent authorization bypass?

1. Server-side validation — Never trust client
2. Deny by default — Require explicit permissions
3. Check every request — Don't rely on session alone
4. Use frameworks — RBAC, policy engines
5. Test thoroughly — Automated + manual testing
6. Principle of Least Privilege — Grant minimal necessary permissions

🔗 Related Concepts

• Broken Access Control — OWASP category
• Insecure Direct Object Reference (IDOR) — Specific technique
• Privilege Escalation — Gaining higher permissions
• Authorization — Overall concept
• Authentication — Prerequisite step
• Role-Based Access Control (RBAC) — Authorization model