Attacking Access Control Models in Modern Web Apps

In this presentation, we will explore the diverse range of access control models utilized in modern web applications and shed light on common security vulnerabilities found in Access Control models in modern web apps. We will specifically focus on four types of privilege escalation issues: 

- Missing Permission Checks
- Permission Overrides
- Permission Group Overrides
- and Design Flaws
all of which can compromise access control models. 

Additionally, we will introduce a methodology consisting of three techniques to identify and address broken access control issues effectively:
1) Backward Approach
2) Forward Approach
3) Mixed Approach

To enhance the testing of access control models, we will discuss the utilization of various Burp plugins. These plugins offer valuable capabilities for thorough access control testing. 

Moreover, we will discuss an analysis of 1000 broken access control issues and highlight notable trends, such as the vulnerability of specific technologies and HTTP methods.

By the end of the talk, we will emphasize the significance of access control in web application security and empower security professionals with actionable insights to protect their organizations against unauthorized access.