# 5) Miscellaneous Broken Access Control ## **1)** **Broken access control resulting from platform misconfiguration** Some applications enforce access controls at the platform layer. they do this by restricting access to specific URLs and HTTP methods based on the user's role. For example, an application might configure a rule as follows: ``` DENY: POST, /admin/deleteUser, managers ``` Various things can go wrong in this situation, leading to access control bypasses. Some application frameworks support various non-standard HTTP headers that can be used to override the URL in the original request, such as `X-Original-URL` and `X-Rewrite-URL`. And If application allows the URL to be overridden via a request header, then it might be possible to bypass the access controls using a request like the following: ``` POST / HTTP/1.1 X-Original-URL: /admin/deleteUser ... ``` Some websites tolerate different HTTP request methods when performing an action. If an attacker can use the `GET` (or another) method to perform actions on a restricted URL, they can bypass the access control that is implemented at the platform layer. ## **2) Broken access control resulting from URL-matching discrepancies** **Different Bypasses to try:** * On the basis of the implementation of access control check whether `/ADMIN/DELETEUSER` mapped to the `/admin/deleteUser` endpoint. If not that means access control mechanisms is less tolerant and will fail to enforce the correct restrictions as a result. * Similar discrepancies can arise if developers using the Spring framework have enabled the `useSuffixPatternMatch` option. This allows paths with an arbitrary file extension to be mapped to an equivalent endpoint with no file extension. In other words, a request to `/admin/deleteUser.anything` would still match the `/admin/deleteUser` pattern. * On other systems, you may encounter discrepancies in whether `/admin/deleteUser` and `/admin/deleteUser/` are treated as distinct endpoints. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://n0m4dsec.gitbook.io/sec-book/web-vulnerabilities/server-side-vulnerabilities/access-control/5-miscellaneous-broken-access-control.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.