session-hijackingtries to take over another user’s active session over several turns.bola-exploitchanges an object ID (like another user’s record number) to read data that is not theirs.bfla-exploitcalls a function or action meant only for admins or other roles.debug-mode-exploittries to switch the system into a debug mode that leaks internals or skips checks.
Attack Strategies
Access Control: Attack Strategy
These attacks try to reach data or actions the user is not allowed to touch. The goal is to break the rules about who can do what.
What it is: These attacks try to reach data or actions the user is not allowed to touch. The goal is to break the rules about who can do what.
How the attacks work: The attacker pretends to be someone else, swaps in another person’s ID, or flips on hidden debug features. They look for gaps where the system trusts the request without checking permission properly.
Real examples from the framework: