This type of vulnerability usually requires manual testing, because it depends on application logic rather than payload injection. Our AI system identified cross-role authorization vulnerabilities where encrypted identifiers from privileged users could be reused by lower-privilege users.

The Vulnerability

The application used encrypted resource identifiers, giving developers a false sense of security. The assumption was: "if the ID is encrypted, users can't guess other resources." But the real issue was authorization. The server never verified whether the requesting user had permission to access the resource, only whether the ID was valid.

Attack Scenario

A low-privilege user could capture encrypted IDs from API responses meant for admin users. By replaying these IDs in their own requests, they could access admin-level resources, modify configurations, and extract sensitive data, all with a valid, encrypted identifier.

The Fix

  • Implement server-side authorization checks on every request, regardless of how resource IDs are encoded.
  • Never rely on obscurity (encrypted IDs) as a substitute for proper access control.
  • Use role-based access control (RBAC) with per-request validation.
  • Log and alert on cross-role resource access attempts.