# 2) Horizontal Access Control It is a mechanisms that restricts access to resources to a specific users. For example: In a banking application, user will be allowed to view transaction and make payments from their own account, but not the account of any other user. ## Example of broken horizontal access controls Horizontal privilege escalation occurs if a user is able to gain access to resources belonging to another user, instead of their own resources of that type. ``` https://insecure-website.com/myaccount?id=123 ``` If an attacker modifies the `id` parameter value to that of another user, they might gain access to another user's account page, and the associated data and functions. ### User ID controlled by request parameter, with unpredictable user IDs bypasses: * Check base64 or md5 of your own user ID first. If this is fruitful, create a base54/md5 for random value and then check. * Find other user's ID in other part of website like posts, comments, message, reviews etc. * Make 2 accounts on website, then try swapping the user's ID working or not. * In some cases , an application does detect when the user is not permitted to access the resource and returns a redirect to login page. But the response containing the some sensitive information belonging to the target user. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://n0m4dsec.gitbook.io/sec-book/web-vulnerabilities/server-side-vulnerabilities/access-control/2-horizontal-access-control.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.