β–ˆβ–ˆFRβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ β–ˆINTELLβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ

πŸ”’ Vulnerability Remediation (Cybersecurity Patch) πŸ› οΈ by Avoiding Broken Access Control 🚫


This content originally appeared on DEV Community and was authored by Hassam Fathe Muhammad

This was my second attempt at finding areas I needed to practice in, specifically related to cybersecurity skills β€” particularly Vulnerability Remediation.

Before I get into how I strengthened the access control, I want to first explain the method I used to exploit a vulnerability in one of my own web apps.

My Experiment (Ethical Practice)

I acted exactly as a hacker would to try and gain access to certain services of my web app.

Important: Before proceeding further and sharing my experimental experience β€” please never apply such knowledge to someone else’s projects, web apps, or services without proper consent. Always do this only for learning and exploring vulnerabilities in your own environment.

How I Exploited My Own App

  1. Targeting Admin Routes I went to the admin routes (pages) of the targeted web app and opened the Network tab in Chrome DevTools. From there, I examined the requests β€” pages, scripts, and other files β€” and was able to understand the JavaScript logic used to call APIs like updateData and savePortfolioData.

  2. Identifying Admin-Level APIs You can usually guess admin-level API functions by inspecting the client side:

  3. Payload Analysis I captured the payloads received from client-side APIs to see what data was coming in. After slightly modifying this data, I tested it in Postman.

  4. Executing the Exploit By changing the payload structure, I was able to get a 200 OK response after updating the data. ✅ Result: I had gained access to admin-level functions/panel on my own app.

A Surprising Finding: CORS Didn’t Interfere

I was a little surprised that CORS didn’t block me at all. After researching, I found that CORS is enforced in browsers, whereas tools like Postman or local requests bypass browser restrictions β€” making such API calls less likely to be blocked for attackers.

The Root Cause

If you haven’t implemented middlewares like:

  • Token verification (checkToken)

  • Role verification (checkRoles)

…then your API routes can be abused by any regular user, customer, or even a random visitor.

The Fix (My Cybersecurity Patch)

In my remediation process, I ensured that:

  • All role-specific routes require both token validation and role validation.

  • Only authorized roles can access admin functions.

By doing this, I prevented normal/non-admin users from exploiting those API routes.

Key Takeaway

Broken Access Control is one of the most critical vulnerabilities in web apps. Even if your front-end hides admin options, your APIs must be secured with proper authentication and authorization β€” otherwise, it’s just a matter of time before someone finds and abuses them.

Final Thoughts

This was a valuable learning experience for me β€” not only did I strengthen my app’s security, but I also sharpened my vulnerability remediation skills by patching a flaw I had personally exploited in a safe environment.

🛡 My Tip for Developers:

Always secure your APIs as if your front-end doesn’t exist. If your backend can’t trust the request source, it shouldn’t execute sensitive actions.


This content originally appeared on DEV Community and was authored by Hassam Fathe Muhammad