help naming a vulnerability

tedjamestedjames Member Posts: 1,179 ■■■■■■■■□□
edited July 2019 in Off-Topic
URL: https://www.bedrock.com/accounts/aspx?user=fredflintstone

Essentially, I'm logged in as fredflintstone and can view his account info. Suppose I know the name of another user and modify the URL: https://www.bedrock.com/accounts/aspx?user=joerockhead

Now I can see joerockhead's account info. Moreover, I can modify  joerockhead's info and even delete it.

What would you call that vulnerability?

Edit: I know this is bad form. Just trying to learn.


  • Options
    iBrokeITiBrokeIT Member Posts: 1,318 ■■■■■■■■■□
    edited July 2019
    For web vulnerabilities start with the OWASP Top 10.

    "A2:2017-Broken Authentication: Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently. "

    2019: GPEN | GCFE | GXPN | GICSP | CySA+ 
    2020: GCIP | GCIA 
    2021: GRID | GDSA | Pentest+ 
    2022: GMON | GDAT
    2023: GREM  | GSE | GCFA

    WGU BS IT-NA | SANS Grad Cert: PT&EH | SANS Grad Cert: ICS Security | SANS Grad Cert: Cyber Defense Ops SANS Grad Cert: Incident Response
  • Options
    tedjamestedjames Member Posts: 1,179 ■■■■■■■■□□
    Fantastic, thank you!
  • Options
    LonerVampLonerVamp Member Posts: 518 ■■■■■■■■□□
    I would actually call this a Broken Access control issue.

    Security Engineer/Analyst/Geek, Red & Blue Teams
    OSCP, GCFA, GWAPT, CISSP, OSWP, AWS SA-A, AWS Security, Sec+, Linux+, CCNA Cyber Ops, CCSK
    2021 goals: maybe AWAE or SLAE, bunch o' courses and red team labs?
  • Options
    tedjamestedjames Member Posts: 1,179 ■■■■■■■■□□
    LonerVamp said:
    I would actually call this a Broken Access control issue.
    After reading the descriptions of both on OWASP, I believe that Broken Access is the correct name for this type of vulnerability. Thanks!
Sign In or Register to comment.