Unrestricted Access
Unrestricted Access can be possible in many endpoints and many applications. I am going to discuss a few of my experiences with this here.
One application is tested was an ISP. They have free internet hotspots across the city for users to access internet. But this had a 45 minute restriction for every 24 hours i.e., for every 24 hours users can get 45 mins of unrestricted high speed internet over a single phone number. While testing such a infrastructure, i found a way to get unrestricted access to internet.
One way of exploiting such a thing is bypassing all mechanisms of validation, i.e., bypass login response using response manipulation and login as a anonymous user or user with no phone number or invalid phone number and thereby repeat same process for every 15 mins.
Well, application was also not having session tokens or expiry tokens in requests, which makes it another way of exploitation with a valid number. Apparently, login with a valid number then capture the validation request, and then repeat the same with a after 45 mins of time, which gives unrestricted access for a new 45 mins period.
One application is tested was an ISP. They have free internet hotspots across the city for users to access internet. But this had a 45 minute restriction for every 24 hours i.e., for every 24 hours users can get 45 mins of unrestricted high speed internet over a single phone number. While testing such a infrastructure, i found a way to get unrestricted access to internet.
One way of exploiting such a thing is bypassing all mechanisms of validation, i.e., bypass login response using response manipulation and login as a anonymous user or user with no phone number or invalid phone number and thereby repeat same process for every 15 mins.
Well, application was also not having session tokens or expiry tokens in requests, which makes it another way of exploitation with a valid number. Apparently, login with a valid number then capture the validation request, and then repeat the same with a after 45 mins of time, which gives unrestricted access for a new 45 mins period.
Such unrestricted access can majority of the times appear in API endpoints which are poorly secured.