Operation n

Just an off-the-cuff article here from personal experience. I’ve seen a number of privilege escalation of issues with web applications. Nothing strange in that. Except that they have been happening in Microsoft .Net applications. The .Net framework does have some mature security get-out-jail-for-free cards but it does cover everything. I’ve seen id enumeration available on query parameters. This ID enumeration lead to different pages for a completely different user being displayed. Also one application had an “admin” query parameter set to “false” for a standard user. Can you guess what was attempted to gain privilege escalation?
Access control should be set somewhere in the code as well the data that lies behind your application (at an OS/database level).