Question

Application logic errors and access control issues are some of the easiest bugs for beginners to find. Hunting for these vulnerabilities doesn’t involve tampering with code or crafting malicious inputs; instead, it requires creative thinking and a willingness to experiment.

应用逻辑错误和访问控制问题是初学者最容易发现的漏洞之一。寻找这些漏洞并不涉及篡改代码或制作恶意输入；相反，它需要创造性思维和愿意尝试的精神。

Step 1: Learn About Your Target

Start by learning about your target application. Browse the application as a regular user to uncover functionalities and interesting features. You can also read the application’s engineering blogs and documentation. The more you understand about the architecture, development process, and business needs of that application, the better you will be at spotting these vulnerabilities.

开始学习您的目标应用程序。像普通用户一样浏览应用程序，以发现功能和有趣的特点。您还可以阅读应用程序的工程博客和文档。您对该应用程序的架构、开发流程和业务需求的了解越多，就越能发现这些漏洞。

For example, if you find out that the application just added a new payment option for its online store, you can test that payment option first since new features are often the least tested by other hackers. And if you find out that the application uses WordPress, you should try to access /wp-admin/admin.php , the default path for WordPress admin portals.

例如，如果你发现这个应用程序刚刚为其在线商店添加了一种新的支付选项，你可以先测试这个支付选项，因为新功能往往是其他黑客测试最少的。而如果你发现这个应用程序使用 WordPress，你应该尝试访问/wp-admin/admin.php，这是 WordPress 管理门户的默认路径。

Step 2: Intercept Requests While Browsing

Intercept requests while browsing the site and pay attention to sensitive functionalities. Keep track of every request sent during these actions. Take note of how sensitive functionalities and access control are implemented, and how they interact with client requests. For the new payment option you found, what are the requests needed to complete the payment? Do any request parameters indicate the payment type or how much will be charged? When accessing the admin portal at /wp-admin/admin.php , are any special HTTP headers or parameters sent?

在浏览网站时拦截请求并注意敏感功能。 跟踪在这些操作期间发送的每个请求。 注意敏感功能和访问控制是如何实现以及如何与客户端请求交互的。 对于您找到的新付款选项，完成付款所需的请求是什么？ 任何请求参数是否指示付款类型或将收取多少费用？ 访问 /wp-admin/admin.php 的管理员门户时，是否发送任何特殊的 HTTP 标头或参数？

Step 3: Think Outside the Box

Finally, use your creativity to think of ways to bypass access control or otherwise interfere with application logic. Play with the requests that you have intercepted and craft requests that should not be granted. If you modify the amount to be charged in a request parameter, will the application still process the transaction while charging you a lower amount? Can you switch the payment type to a gift card even though you don’t have one? Can you access the admin page by adding a special cookie, such as admin=1 ?

最后，利用你的创造力想出绕过访问控制或干扰应用逻辑的方法。玩弄你拦截到的请求，并创建本不该被授权的请求。例如，如果你修改请求中的金额参数，应用程序仍会处理该交易并向你收取更少的费用吗？即使没有礼品卡，你能否将支付类型切换为礼品卡？你能否通过添加特殊的 cookie（例如 admin=1）访问管理员页面？