Module 5: Attacking Access Controls
What are characteristics of access control?
Allow a request to go through Most critical defence but also the most vulnerable Unauthoried actions and accessing protected data
What are two classes of access control models?
Based on capabilities Based on access control lists (ACLs)
An application may use the HTTP Referer header to control access without any overt indication of this in its normal behavior. How can you test for this weakness?
Choose a range of important application functions that you are authorized to access. Walk through each function submitting a modified or absent Referer header. If the application rejects your requests, it may well be vulnerable. Try making the same requests in a user context where these are unauthorized, but restore the original Referer header each time. If the requests are now accepted, then the application is certainly vulnerable.
What are ACL vulnerabilities?
Direct access to URL or methods (NoAuth) Direct access to resources/files Via - Assumed sequence of access for multi-stage functions - Incorrect web/app server configurations - Basing access on request parameters, the Referrer header or location Identifier-Based Functions - resource identifiers can be created to access that bypass authorizations Multistage Functions - if resource tracking implemented across several requests maybe vulnerable Static files - maybe directly accessed Platform Misconfiguration - WebDav etc Insecure Access Control Methods - Parameter-Based Access Control - Referer-Based Access Control - Location-Based Access Control (geolocation)
How to secure access control?
Don't use account ID or document ID Don't trust user submitted parameters Don't assume user access page sequence Don't trust user to not tamper with data Multi-layered privilege model
What is the based on capabilities access control?
Holding an unforgeable reference or capability to an object provides access to the object
A web application on the Internet enforces access controls by examining users' source IP addresses. Why is this behavior potentially flawed?
It is possible to spoof another user's IP address, although in practice this may be extremely difficult. More significantly, different end users on the Internet may share the same IP address if they are behind the same web proxy or NAT-ting firewall. One way in which IP-based access controls can be effective in this situation is as a defense-in-depth measure to ensure that users attempting to access administrative functions are located on the organization's internal network. Those functions should also, of course, be protected by robust authentication and session handling mechanisms.
What is the based on ACL?
Subject's access to an object depends on whether its identity appears on a list associated with the object; access is conveyed by editing the list.
When browsing an application, you encounter several sensitive resources that need to be protected from unauthorized access and that have the .xls file extension. Why should these immediately catch your attention?
The files are Excel spreadsheets. These are static resources which cannot enforce any access controls over themselves, in the way that dynamic scripts can. It is possible that the application is using other methods, such as at the web server layer, to protect access to the resources, but this is not typically the case. You should quickly check whether the resources can be accessed without authentication.
An application's sole purpose is to provide a searchable repository of information for use by members of the public. There are no authentication or session-handling mechanisms. What access controls should be implemented within the application?
There is no horizontal or vertical segregation of access within the application, so there is no need for any access controls that discriminate between different individual users. Even though all users are in the same category, the application still needs to restrict the actions that any user can perform. A robust solution will use the principle of least privilege to ensure that all user roles within the application's architecture have the minimum permissions necessary for the application to function. For example, because users only need read access to data, the application should access the database using a low privileged account with read-only permissions to only the relevant tables.
What are some access control attack types?
Vertical privilege escalation - Accessing other parts of the web app you're not supposed to (e.g., admin functions) Horizontal privilege escalation - Accessing the same functions but as someone else - Can lead to vertical Business logic exploitation - Context-dependent - Exploit/bypass current state of the web app
You log in to an application and are redirected to the following URL: https://wahh-app.com/MyAccount.php?uid=1241126841 The application appears to be passing a user identifier to the MyAccount.php page. The only identifier you are aware of is your own. How can you test whether the application is using this parameter to enforce access controls in an unsafe way?
You should attempt the following tests, in order of effectiveness: (a) Modify the uid value to a different value with the same syntactic form. If your own account details are still returned, then the application is probably not vulnerable. (b) If you are able to register or otherwise access a different user account, log in using that account to obtain the other user's uid value. Using your original user context, substitute this new uid in place of your own. If sensitive data about the other user is displayed, then the application is vulnerable. (c) Use a script to iterate up and down for a few thousand values from your uid, and determine whether any other users' details are returned. (d) Use a script to request random uid values between 0 and 9999999999 (in the present example) and determine whether any other users' details are returned.