beyond authority access to logic loopholes

Posted by barello at 2020-03-01

Introduction to unauthorized access

Generally, unauthorized access includes unauthorized access, parallel unauthorized access and vertical unauthorized access.

Unauthorized access: refers to the access, addition, deletion, modification and query of resources requiring authentication without any authorization.

Vertical ultra vires: vertical ultra vires access is formed by crossing from low authority to high authority.

Parallel ultra vires, as the name implies, is the purpose of adding, deleting, modifying and querying other users' data or orders without entering other users' accounts under the same user authority.

Let's take a look at some cases

Statement: the above vulnerability comics are from Xiaochuan of