Access Control Vulnerabilities
Khoa NguyenAccess Control (or authorization) is the application of constraints on who (or what) can perform attempted actions or access resources that they have requested. In the context of web applications, access control is dependent on authentication and session management:
Authentication identifies the user and confirms that they are who they say they are.
Session management identifies which subsequent HTTP requests are being made by that same user.
Access control determines whether the user is allowed to carry out the action that they are attempting to perform.
Broken access controls are a commonly encountered and often critical security vulnerability. Design and management of access controls is a complex and dynamic problem that applies business, organizational, and legal constraints, to a technical implementation. Access control design decisions have to be made by humans, not technology, and the potential for errors is high.
Vertical Privilege Escalation
Non-administrative user gaining access to an admin page where they can delete accounts
Attacker might be able to access administrative functions via the URL
https://insecure-website.com/adminAdmin URL might be more obscure but still leaked in JavaScript that constructs the user interface:
<script> var isAdmin = false; if (isAdmin) { ... var adminPanelTag = document.createElement('a'); adminPanelTag.setAttribute('https://insecure-website.com/administrator-panel-yb556'); adminPanelTag.innerText = 'Admin panel'; ... } </script>Parameter-based Access Control Methods-Storing access information in a user-controlled location (hidden field, cookie, query string, etc.)
https://insecure-website.com/login/home.jsp?admin=truehttps://insecure-website.com/login/home.jsp?role=1Platform Misconfiguration
Restricting access at the platform layer by specific URLs and HTP methods:
DENY: POST, /admin/deleteUser,managersCan override by editing the request header
POST / HTTP/1.1 X-Original-URL: amdin/deleteUser
Horizontal Privilege Escalation
Modify the “id” parameter to access a different account:
https://insecure-website.com/myaccount?id=123This attack can be used to go from horizontal vertical by taking over a privileged account.
How to Prevent Access Control
Do not rely obfuscation alone
Deny access by default
Use single application-wide mechanism for enforcing access controls
Make it mandatory for developers to declare access for each resource
Audit and test access controls to ensure they are working
Subscribe to my newsletter
Read articles from Khoa Nguyen directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
Khoa Nguyen
Khoa Nguyen
Mình là người mới bắt đầu tìm hiểu công nghệ đặc biệt về ngành an toàn thông tin. Mình có viết lại các bài này chủ yếu luyện tiếng Anh và đọc thêm. Cảm ơn mọi người đã quan tâm và đón đọc. Nếu có góp ý gì xin hãy liên lạc với mình nhé!