Download as PDF, PPTX
More Related Content
Similar to Broken access controls
Broken access controls
- 2. Akansha Kesharwani Sr. Security Consultant @ Payatu Software Labs LLP Works on Web Application Pentesting and Mobile application Pentesting Member @ Null Pune chapter 2
- 3. Introduction InsecureDirect Object References Missing Functional Level of Access Controls Potential Impact Example Remediation 3
- 4. Access Controlaka Authorization is how a application grant access to content and functions to some users and not others. As a attacker if the user is able to perform an action or access the content and functions of some other user which the attacker should not have been authorized, then we term it as Broken Access Control. In OWASP 2017, Insecure Direct Object Reference and Missing Functional Level of Access Control where merged and a new category Broken Access Control was formed. 4 Courtesy: https://www.owasp.org/index.php/Broken_Access_Control
- 5.
- 6. A directobject reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key.Without an access control check or other protection, attackers can manipulate these references to access unauthorized data. Occurs when developer uses HTTP parameter to refer an internal object Ex: https://demo.com?id=1 Can access to other accounts Ex: https://example.com/profile=123 6Courtesy: https://www.owasp.org/index.php/Top_10_2013-Top_10
- 7. HTTP GETparameters Tampering reference in the URL Ex: https://example.com?profile=123 Changing profile parameter to “456” https://example.com?profile=456 It will give access to profile referred by “456”. HTTP POST parameters In the body of POST parameters. HTTP Headers Cookies Languages (Accept-Language) User-Agent 7Courtesy: https://www.owasp.org/index.php/Top_10_2013-Top_10
- 8. It occurswhen the web application fails to verify the functional level access right before making the functionality accessible to the user. So the user not having proper authorization will be able to access the functionality which they do not have right to access. Occurs when an authorization check is missing in a particular functionality. Ex: Admin functionality missing authorization check in a web application. https://www.example.com/admin.jsp https://www.example.com/phpinfo If the user roles are not in place, then user of least privilege might be able to access the functionality of user having highest privilege. 8
- 9. HTTP GETand POST parameters Tampering reference in the URL Ex: https://example.com?admin=false Changing admin parameter to “true” https://example.com?admin=true It will give access to functionality available to admin user. In the body of POST parameters. HTTP Headers Cookies Forced Browsing Accessing admin functionality when user is authenticated as normal user. 9
- 10. The potentialimpact of Broken Access Control greatly depends on what kind of information or features the attacker can gain access to. This can be anything from seemingly useless information to a full system takeover. 10
- 11.
- 12. Avoid exposingreference of internal object to user. Validate internal object reference at server side. Verify authorization to all referenced objects. The enforcement mechanism(s) should deny all access by default, requiring explicit grants to specific roles for access to every function. If the function is involved in a workflow, check to make sure the conditions are in the proper state to allow access. Disable web server directory listing and ensure file metadata (e.g. .git) and backup files are not present within web roots. Log access control failures, alert admins when appropriate (e.g. repeated failures). Rate limit API and controller access to minimize the harm from automated attack tooling. 12
- 13. https://www.owasp.org/index.php/Top_10-2017_A5-Broken_Access_Control https://www.owasp.org/index.php/Top_10_2013-A7- Missing_Function_Level_Access_Control https://www.owasp.org/index.php/Top_10_2010-A4- Insecure_Direct_Object_References 13
- 14.
- 15.