AccessFuzz is a lightweight internal tool designed to help security teams identify Broken Access Control issues like Horizontal and Vertical Privilege Escalation in web APIs.
- ✅ Role-based request replay for API endpoints
- ✅ Supports GET, POST, PUT, DELETE methods
- ✅ Detects unauthorized access based on status codes
- ✅ JSON report output
- ✅ Minimal, extensible codebase
| Type | Example |
|---|---|
| 🔼 Vertical Privilege Escalation | A user accessing an /admin endpoint |
A user accessing another user's data |
- Python 3.7+
requestslibrary
Install dependencies:
pip install -r requirements.txtConfigure the input in their respective files:
endpoints.json
[
{
"method": "GET",
"url": "http://localhost:5000/api/admin/dashboard"
},
{
"method": "GET",
"url": "http://localhost:5000/api/user/profile/1"
},
{
"method": "GET",
"url": "http://localhost:5000/api/user/profile/2"
}
]tokens.json
{
"admin": {
"Authorization": "Bearer ADMIN_TOKEN"
},
"user": {
"Authorization": "Bearer USER_TOKEN"
},
"guest": {
"Authorization": "Bearer GUEST_TOKEN"
}
}python3 accessfuzz.py --endpoints endpoints.json --tokens tokens.json --output accessfuzz_report.json - Console output shows status codes for each role
- JSON report saved to:
accessfuzz_report.json