> ## Documentation Index
> Fetch the complete documentation index at: https://rootea.es/llms.txt
> Use this file to discover all available pages before exploring further.

# Access Control / IDOR

> Recursos cross-platform para Access Control / IDOR: máquinas HTB, labs PortSwigger y rooms TryHackMe curados, con writeups validados y skills relacionadas.

# Access Control / IDOR

Esta página agrega los **recursos para practicar Access Control / IDOR** de forma cross-platform: máquinas retiradas de Hack The Box, labs de PortSwigger Web Security Academy y rooms de TryHackMe, más recursos curados (HackTricks, PortSwigger, etc.) y skills relacionadas.

## Recursos curados

| Fuente      | Enlace                                                                                                     |
| ----------- | ---------------------------------------------------------------------------------------------------------- |
| PortSwigger | [https://portswigger.net/web-security/access-control](https://portswigger.net/web-security/access-control) |

## Máquinas HTB que practican Access Control / IDOR (1)

| Máquina                                  | SO    | Dificultad                                           |
| ---------------------------------------- | ----- | ---------------------------------------------------- |
| [Cache](/htb/machines/linux/medio/cache) | Linux | <span className="dbadge dbadge-medium">MEDIUM</span> |

## Labs PortSwigger que practican Access Control / IDOR (14)

| Lab                                                                                                                                                                                           | Dificultad                                                 | Topic                          | Oficial                                                                                                                                                |
| --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | ------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
| [Bypassing access controls using email address parsing discrepancies](/portswigger/labs/logic-flaws/examples-logic-flaws-bypassing-access-controls-using-email-address-parsing-discrepancies) | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Business Logic Vulnerabilities | [Abrir](https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-bypassing-access-controls-using-email-address-parsing-discrepancies) |
| [Insecure direct object references](/portswigger/labs/access-control/insecure-direct-object-references)                                                                                       | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Access Control Vulnerabilities | [Abrir](https://portswigger.net/web-security/access-control/lab-insecure-direct-object-references)                                                     |
| [Unprotected admin functionality](/portswigger/labs/access-control/unprotected-admin-functionality)                                                                                           | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Access Control Vulnerabilities | [Abrir](https://portswigger.net/web-security/access-control/lab-unprotected-admin-functionality)                                                       |
| [Unprotected admin functionality with unpredictable URL](/portswigger/labs/access-control/unprotected-admin-functionality-with-unpredictable-url)                                             | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Access Control Vulnerabilities | [Abrir](https://portswigger.net/web-security/access-control/lab-unprotected-admin-functionality-with-unpredictable-url)                                |
| [User ID controlled by request parameter](/portswigger/labs/access-control/user-id-controlled-by-request-parameter)                                                                           | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Access Control Vulnerabilities | [Abrir](https://portswigger.net/web-security/access-control/lab-user-id-controlled-by-request-parameter)                                               |
| [User ID controlled by request parameter with data leakage in redirect](/portswigger/labs/access-control/user-id-controlled-by-request-parameter-with-data-leakage-in-redirect)               | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Access Control Vulnerabilities | [Abrir](https://portswigger.net/web-security/access-control/lab-user-id-controlled-by-request-parameter-with-data-leakage-in-redirect)                 |
| [User ID controlled by request parameter with password disclosure](/portswigger/labs/access-control/user-id-controlled-by-request-parameter-with-password-disclosure)                         | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Access Control Vulnerabilities | [Abrir](https://portswigger.net/web-security/access-control/lab-user-id-controlled-by-request-parameter-with-password-disclosure)                      |
| [User ID controlled by request parameter, with unpredictable user IDs](/portswigger/labs/access-control/user-id-controlled-by-request-parameter-with-unpredictable-user-ids)                  | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Access Control Vulnerabilities | [Abrir](https://portswigger.net/web-security/access-control/lab-user-id-controlled-by-request-parameter-with-unpredictable-user-ids)                   |
| [User role can be modified in user profile](/portswigger/labs/access-control/user-role-can-be-modified-in-user-profile)                                                                       | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Access Control Vulnerabilities | [Abrir](https://portswigger.net/web-security/access-control/lab-user-role-can-be-modified-in-user-profile)                                             |
| [User role controlled by request parameter](/portswigger/labs/access-control/user-role-controlled-by-request-parameter)                                                                       | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Access Control Vulnerabilities | [Abrir](https://portswigger.net/web-security/access-control/lab-user-role-controlled-by-request-parameter)                                             |
| [Method-based access control can be circumvented](/portswigger/labs/access-control/method-based-access-control-can-be-circumvented)                                                           | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Access Control Vulnerabilities | [Abrir](https://portswigger.net/web-security/access-control/lab-method-based-access-control-can-be-circumvented)                                       |
| [Multi-step process with no access control on one step](/portswigger/labs/access-control/multi-step-process-with-no-access-control-on-one-step)                                               | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Access Control Vulnerabilities | [Abrir](https://portswigger.net/web-security/access-control/lab-multi-step-process-with-no-access-control-on-one-step)                                 |
| [Referer-based access control](/portswigger/labs/access-control/referer-based-access-control)                                                                                                 | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Access Control Vulnerabilities | [Abrir](https://portswigger.net/web-security/access-control/lab-referer-based-access-control)                                                          |
| [URL-based access control can be circumvented](/portswigger/labs/access-control/url-based-access-control-can-be-circumvented)                                                                 | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Access Control Vulnerabilities | [Abrir](https://portswigger.net/web-security/access-control/lab-url-based-access-control-can-be-circumvented)                                          |

## Rooms TryHackMe que practican Access Control / IDOR (9)

| Room                                                                | Dificultad                                         | Tipo        | Acceso  | Oficial                                                      |
| ------------------------------------------------------------------- | -------------------------------------------------- | ----------- | ------- | ------------------------------------------------------------ |
| [Advent of Cyber 2022](/tryhackme/rooms/adventofcyber4)             | <span className="dbadge dbadge-easy">EASY</span>   | Walkthrough | 🟢 Free | [Abrir](https://tryhackme.com/room/adventofcyber4)           |
| [Advent of Cyber 3 (2021)](/tryhackme/rooms/adventofcyber3)         | <span className="dbadge dbadge-easy">EASY</span>   | Walkthrough | 🟢 Free | [Abrir](https://tryhackme.com/room/adventofcyber3)           |
| [Broken Access Control](/tryhackme/rooms/owaspbrokenaccesscontrol)  | <span className="dbadge dbadge-easy">EASY</span>   | Walkthrough | 🟢 Free | [Abrir](https://tryhackme.com/room/owaspbrokenaccesscontrol) |
| [Corridor](/tryhackme/rooms/corridor)                               | <span className="dbadge dbadge-easy">EASY</span>   | Challenge   | 🟢 Free | [Abrir](https://tryhackme.com/room/corridor)                 |
| [IDOR](/tryhackme/rooms/idor)                                       | <span className="dbadge dbadge-easy">EASY</span>   | Walkthrough | 🔵 VIP  | [Abrir](https://tryhackme.com/room/idor)                     |
| [Introduction to CryptOps](/tryhackme/rooms/introductiontocryptops) | <span className="dbadge dbadge-easy">EASY</span>   | Walkthrough | 🟢 Free | [Abrir](https://tryhackme.com/room/introductiontocryptops)   |
| [XDR: Introduction](/tryhackme/rooms/xdrintroduction)               | <span className="dbadge dbadge-easy">MEDIUM</span> | Walkthrough | 🟢 Free | [Abrir](https://tryhackme.com/room/xdrintroduction)          |
| [envizon](/tryhackme/rooms/envizon)                                 | <span className="dbadge dbadge-easy">HARD</span>   | Challenge   | 🟢 Free | [Abrir](https://tryhackme.com/room/envizon)                  |
| [Hacking Hadoop](/tryhackme/rooms/hackinghadoop)                    | <span className="dbadge dbadge-easy">HARD</span>   | Walkthrough | 🟢 Free | [Abrir](https://tryhackme.com/room/hackinghadoop)            |

***

← [Volver al glosario completo](/glosario)

<script type="application/ld+json">
  {`{"@context":"https://schema.org","@type":"DefinedTerm","name":"Access Control / IDOR","termCode":"access-control","inLanguage":"es","url":"https://rootea.es/skills/access-control","inDefinedTermSet":{"@type":"DefinedTermSet","name":"Glosario táctico de pentesting","url":"https://rootea.es/glosario"}}`}
</script>

<script type="application/ld+json">
  {`{"@context":"https://schema.org","@type":"ItemList","name":"Máquinas HTB que practican Access Control / IDOR","numberOfItems":1,"itemListElement":[{"@type":"ListItem","position":1,"url":"https://rootea.es/htb/machines/linux/medio/cache","name":"Cache"}]}`}
</script>

*Última actualización: 2026-06-07*
