Exploiting Weak Access Controls
Access Control: “What user is allowed to perform”, When users acts outside the intended permissions and perform some actions which can only be performed by admin(vertical) or same level user account by manipulating some of the parameters in the request.
What Happens?
· Leads to unauthorized access, information disclosure.
· Modification of destruction of data.
· Allow attackers to access application pages.
· Elevation of privileges
From web application, perspective access control can be achieved by maintaining session and authentication.
· Authorization: Particular user such as normal user can access only those resource for which they got the permissions.
Sometimes access to critical and nonpublic resources are not implemented correctly So attackers can perform actions by exploiting those weak access controls and accessing some of the sensitive information.
Privilege can be escalated to horizontal or vertical.
Horizontal Privilege Escalation: When application have 2 users of same level (both are customers of a website) such as “A” and “B” and “A” accesses the resources of “B”.
Vertical Privilege escalation: When application have two different users with different user rights such as admin and staff member. Now if member accesses the functionality of the admin then it is known as the vertical privilege escalation.
Example: while testing an application accessing the “administrator-panel” requires the login credentials but while crawling the application we got an folder name administrator-panel upon accessing the page directly we get the access to the admin panel.
So here, user can escalating his privilege towards admin account only by searching admin panel URL. This admin panel has no restrictions so any one can use admin functionality.
· Authentication: To check who you are or verify a user identity.
Example: Such as if you claim you are admin so you should have password of admin.
Exploitation: We have to escalate the admin privileges to upgrade a user access. In order to do this first we need to check what happens when admin upgrades an user i.e. how the request looks like and what are the security features they are using.
SO logged from admin account and checked how the request of upgrading and downgrading user looks like
Intercepted Request of upgrading a user:
Now I will send this request in the repeater and will login with the normal user account.
Normal user doesn’t have the functionality to upgrade or downgrade the users
We will try to replicated the upgrade user request with the cookie of the normal user.
Because cookie is the only mechanism, by which the website is differentiating with the access control of admin and normal users.
Copied the session cookie of the normal user “session=xriDvYvh49RbjpjuZ63JvDFjXdT3GQD6” and replace session value from admin account.
Updated admin request:
Pasted in the request which was used to upgrade the user.
After sending request we can see that the users has been upgraded from the normal user account.
Remediation
· Verify the authenticity of the users while performing different type of actions.
· Assign a csrf token and a verify the referrer header for the initial check.
