Burp Suite User Forum

Create new post

Privilege Escalation

Srinivashan | Last updated: Feb 10, 2020 01:41PM UTC

Hi, I have done a security testing in Burp Suite, while doing we have faced the below issue for our application. issue description : The application has different level of user access: General user and Admin user. Admin User has access to master module whereas general user is not allowed access to these modules within application. It was possible for normal user to access features allowed only to admin user by manipulating the URL Component. By scanning using Burp suite pro, I have retrieved the above issue but i couldn't reproduce manually using intercepts. Can you help me out in identifying the issue manually?

Michelle, PortSwigger Agent | Last updated: Feb 18, 2020 10:16AM UTC

This was originally posted on 12th Feb but there appears to have been an issue with it displaying on the forum, please accept our apologies. Hi, How did you reproduce the issue? There are many reasons that reproduction can be non-trivial. For example, the request in the issue description may contain a session cookie, that has expired by the time you try to reproduce. The Burp scanning engine is one of the most accurate available, but false positives can occur with any scanner. Can you provide a screenshot of the request and response from the issue? We may be able to provide further advice based on that.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.