Vertical Access Controls restrict access to various resources for different roles/types of users. For example admin can access more resources than normal user. It is common that servers do not have correct vertical access controls in place.
Often it is possible to test vertical access controls by changing role on the client side. (For example, by modifying network communication or thick client executable.) If it is not possible to change role on the client side to view functions for different roles, it might be possible to discover these functions in other way (enumeration, reverse engineering, ...).
In our example vulnerable application, there is simulation of role request-response protocol, which informs client application about user role and shows/hides related functionality. If we analyse the communication, we can easily find out how to change the user role in the server response.
Data from server contain:
00 00 00 0B 00 00 03 EE 00 00 00 0D 00 00 00 01 00 00 00 01 54 65 73 74 65 72We can see that in the payload part there are the following bytes:
00 00 00 01 00 00 00 01 54 65 73 74 65 72If we try to change the data, we will find out that the second "00 00 00 01" sequence is identifier of certain user role. We can easily find out that our role Guest is 0x00000001, User is 0x00000003 and administrator is 0x00000005.
00 00 00 01 00 00 00 05 54 65 73 74 65 72After changing the user role on the client side, we will see admin button for obtaining secret and if we click on it, we will see that it works. That means that the server does not have correct vertical access control in place and the application relies on client side verification.