Lab 11: Method-Based Access Control Bypass — How It Works, Real Bounties, and How to Test It

medium.com · morgan_hack · 21 hours ago · tutorial
quality 7/10 · good
0 net
Tags
method-based-access-control-bypass bounty
Lab 11: Method-Based Access Control Bypass — How It Works, Real Bounties, and How to Test It | by morgan_hack - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original Lab 11: Method-Based Access Control Bypass — How It Works, Real Bounties, and How to Test It Some applications enforce access control only for specific HTTP methods (e.g. POST), while trusting or ignoring others (e.g. GET). An… morgan_hack Follow ~3 min read · April 9, 2026 (Updated: April 9, 2026) · Free: Yes Some applications enforce access control only for specific HTTP methods (e.g. POST ), while trusting or ignoring others (e.g. GET ). An attacker can exploit this by switching to an alternative method to perform privileged actions as a low-privilege user. This is not just a lab exercise. This vulnerability class has been paid out repeatedly on real bug bounty programs. $3,000 — E-commerce platform (HackerOne, Critical) A researcher found that POST /api/admin/users/promote was protected, but sending the same parameters via GET /api/admin/users/promote?role=admin bypassed the middleware entirely. Any authenticated user could escalate themselves to admin. $1,500 — SaaS dashboard (method override header) The application respected the X-HTTP-Method-Override: GET header. Sending a POST request with that header caused the server to treat it as a GET , bypassing both the CSRF check and the role check. Escalated from medium to high after a PoC demonstrated self-promotion to org admin. $800 — Internal HR portal (grey-box pentest) The dev team added role checks only to POST and PATCH . Sending PUT to the same role-update endpoint succeeded with no privilege check at all. Found and reported during a grey-box engagement, fixed within 48 hours. Log in as admin Use the provided admin credentials to log in to the application. 2.Navigate to the admin panel and promote carlos Find the user management feature, promote the user carlos , and intercept the request in Burp Suite. Send it to Burp Repeater for reference. 3.Log in as a non-admin user Switch accounts and intercept the same promote request while logged in with low-privilege credentials 4.Convert to GET request Right-click the request in Burp Repeater → Change request method . Burp automatically converts the body parameters into URL query string parameters. GET /admin/roles?username=carlos&action=upgrade HTTP/1.1 5.Change username to your own and send Replace carlos with your non-admin username, then send the request. The server processes the upgrade without checking privileges for GET. #web3 #cybersecurity #bug-bounty #ethical-hacking #website Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).
← Back to stories