• Horizontal (low degree user1—>user10)
• Vertical (High degree User1—>admin)
• Broken Access Control
  • Horizontal BAC
  • vertical BAC
  • Context-based AC (particular to a functionality)

What type of parameter falls into this type of PE or BAC

• parameter which requests on behalf of user1 for user10 for password change or any changes in the other parameter such as name, account no, card details, shopping details etc this should be checked using burpsuite
• account=1 → Account 1 is usually the admin account
• User_id=3
• Account_id=3
• delete card
• add card
• /Account/1010/setting/delete-card —> Here 1010 should be the account id

Now vertical PE parameters can be like

• Admin=false
• X-Orignal-URL:/Admin

Testing methods Mitigation