I Found an Unauthenticated Broken Access Control Vulnerability in the Department of Defense
While hunting on the Department of Defense bug bounty program, I came across a simple but impactful vulnerability, a broken access control bug that allowed anyone to view files they didn’t own, without even being logged in. Here’s how it went.
What is Broken Access Control?
Broken access control is a vulnerability where you’re able to perform an action even though you lack the privileges to do so. Think of it like a school janitor who has no business reading the principal’s private files, but because the doors don’t have proper locks, nothing is actually stopping them.
Finding a Target
I’ve always wanted to hunt on NASA, but I decided to start with the US Department of Defense instead. Fair warning, this is a late write-up, and I don’t actively hunt much anymore, but I figured this one was worth documenting.
Reconnaissance
Reconnaissance isn’t just about subdomain enumeration or directory brute-forcing. A big part of it is checking application functionality and identifying potentially violated constraints. One of my favorite things to test is whether I can access an object that belongs to another user, something I clearly shouldn’t own.
While exploring a Department of Defense subdomain, I came across an attachment endpoint on the user’s home page:
/BugReport/Admin/Attachment/{id}
The {id} parameter determines which file is being viewed. The immediate question was: what happens if I swap that ID for one that doesn’t belong to me?
GET /BugReport/Admin/Attachment/1568600
It returned a file I had no business seeing. I reported it to the Department of Defense immediately, and earned a badge for it.
But here’s what made it even more impactful: when I stripped the Cookie header from the request entirely, the file was still accessible. This elevated it from a standard broken access control bug to an unauthenticated broken access control vulnerability, no login required whatsoever.
Mitigations
- Enforce access control server-side. Never rely on client-side checks alone, they’re trivially bypassed.
- Verify ownership before serving resources. Before returning any file or object, confirm that the requesting user actually owns or has permission to access it.
- Use unpredictable identifiers. Sequential numeric IDs like
1568600make enumeration trivial. Random UUIDs make it significantly harder for an attacker to guess valid resource identifiers.
You can read the full disclosed report on HackerOne: Report #3259610
Hope u learned something, happy hunting!