help naming a vulnerability

tedjamestedjames Scruffy-looking nerfherdrPosts: 1,038Member ■■■■■■□□□□
edited July 2 in Off-Topic
URL: https://www.bedrock.com/accounts/aspx?user=fredflintstone

Essentially, I'm logged in as fredflintstone and can view his account info. Suppose I know the name of another user and modify the URL: https://www.bedrock.com/accounts/aspx?user=joerockhead

Now I can see joerockhead's account info. Moreover, I can modify  joerockhead's info and even delete it.

What would you call that vulnerability?

Edit: I know this is bad form. Just trying to learn.

Comments

  • iBrokeITiBrokeIT GXPN GPEN GWAPT GCIH GCFE GICSP GSEC eJPT Sec+ Posts: 1,243Member ■■■■■■■■■□
    edited July 2
    For web vulnerabilities start with the OWASP Top 10.

    "A2:2017-Broken Authentication: Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently. "

    https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
  • tedjamestedjames Scruffy-looking nerfherdr Posts: 1,038Member ■■■■■■□□□□
    Fantastic, thank you!
  • LonerVampLonerVamp OSCP, GCFA, GWAPT, CISSP, OSWP, CCNA Cyber Ops, Sec+, Linux+, AWS CCP, CCSK Posts: 379Member ■■■■■□□□□□
    I would actually call this a Broken Access control issue.

    Security Engineer/Analyst/Geek, Red & Blue Teams
    OSCP, GCFA, GWAPT, CISSP, OSWP, CCNA Cyber Ops, Sec+, Linux+, AWS CCP, CCSK
    2019 goals: GWAPT, Linux+, (possible: SLAE, CCSK, AWS SA-A)
  • tedjamestedjames Scruffy-looking nerfherdr Posts: 1,038Member ■■■■■■□□□□
    LonerVamp said:
    I would actually call this a Broken Access control issue.
    After reading the descriptions of both on OWASP, I believe that Broken Access is the correct name for this type of vulnerability. Thanks!
Sign In or Register to comment.