While testing authorization mechanisms during a recent bug bounty engagement on Bugcrowd, I discovered a Broken Access Control vulnerability (specifically IDOR/BOLA). This flaw allowed a normal employee account to access administrator-only company information through a backend API endpoint.
Although this report was marked as a duplicate during triage (a common pain for us hunters!😄), it remains a valuable learning case for understanding real-world Role-Based Access Control (RBAC) failures.
Here is how I found it.
In this testing, I used two accounts:
- Admin Account: To map out all available functionality and sensitive endpoints.
- Employee Account: To test if I can access those admin endpoints.
I began by logging in as an administrator and navigating to the company settings page, where organizational configuration data is displayed.
Behind the scenes, the browser sent the following request:
GET /api/hub/api/companies/{companyId}/
This endpoint returned a JSON response containing sensitive administrative information, including legal signatory identifiers and internal billing-related flags.
Using Burp Suite, I intercepted and saved this request.
Next, I logged out and authenticated as a standard employee. Returning to Burp, I replaced the administrator session token with the employee's session token and replayed the exact same request.
At this point, I expected the server to respond with a 403 Forbidden error.
Instead, the server responded with 200 OK , returning the same administrative data, despite the request being sent from a non-privileged employee account.
This confirmed that the backend API was not enforcing proper role-based authorization.
Business Impact
This vulnerability allows any employee to:
-View internal administrative company configuration
-Identify legal signatories
-Determine billing or suspension status
-Access internal flags not intended for employees