# Orphaned Privileges: A Critical Access Control Issue in Web Applications

By /

Listen to this Post

There are times when a user’s privileges must be revoked:

1. The user no longer needs the permissions.

2. The user has changed job roles.

  1. The user is no longer trusted due to misconduct.

However, many web applications fail to properly enforce privilege revocation, leading to orphaned privileges—where a user retains access despite apparent permission changes.

How to Find Orphaned Privileges

1. Grant Elevated Privileges (as an admin):

  • Assign a test user additional permissions or a higher role.
  • Example Linux command to simulate role assignment: 
    sudo usermod -aG admin testuser

2. Perform Privileged API Calls:

  • Use the test account to access restricted endpoints.
  • Example `curl` command to test API access: 
    curl -X GET -H "Authorization: Bearer <token>" https://api.example.com/admin/data

3. Revoke Privileges (as an admin):

  • Remove the test user’s elevated permissions.
  • Example Linux command to revoke group access: 
    sudo deluser testuser admin

4. Re-Attempt Privileged API Calls:

  • Check if the user can still access restricted endpoints.
  • Example command to verify enforcement: 
    curl -X GET -H "Authorization: Bearer <token>" https://api.example.com/admin/data

5. Verify Session Handling:

  • Some systems only enforce changes after a new login.
  • Force a session logout and retest: 
    </li>
</ul>

<h1>Example: Revoke session token in a JWT-based system</h1>

redis-cli SET "blacklist:<token>" "revoked" EX 3600

    You Should Know:

    • Session Persistence: Many systems cache permissions, requiring a logout/login cycle. 
      </li>
</ul>

<h1>Force session termination (Linux)</h1>

sudo pkill -u testuser
      • Database-Level Checks: Ensure backend APIs validate permissions on every request. 
        -- Example SQL to verify user role 
SELECT role FROM users WHERE user_id = 'testuser';

      • Logging & Monitoring: Track privilege changes and access attempts. 

        </p></li>
</ul>

<h1>Audit logs in Linux</h1>

<p>sudo grep "user=testuser" /var/log/auth.log
        • Automated Testing: Use scripts to detect orphaned privileges. 
          import requests 
headers = {"Authorization": "Bearer <token>"} 
response = requests.get("https://api.example.com/admin/data", headers=headers) 
print(response.status_code) # Should be 403 after revocation

        What Undercode Say

        Orphaned privileges are a dangerous oversight in access control. Always:
        – Test revocation workflows thoroughly.
        – Enforce server-side validation for every request.
        – Monitor session states and permission changes.
        – Automate security checks to catch misconfigurations.

        Expected Output:

        A secure system where revoked permissions are immediately enforced, leaving no room for orphaned access.

        Related Course: Weekly Pentest Tips & Tricks (120+ lessons)

        References:

        Reported By: Aaandrei %F0%9D%90%98%F0%9D%90%9E%F0%9D%90%AD – Hackers Feeds
        Extra Hub: Undercode MoN
        Basic Verification: Pass ✅

        Join Our Cyber World:

        💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: