Exploiting Weak Access Controls

Access Control: “What user is allowed to perform”, When users acts outside the intended permissions and perform some actions which can only be performed by admin(vertical) or same level user account by manipulating some of the parameters in the request.

What Happens?

· Leads to unauthorized access, information disclosure.

· Modification of destruction of data.

· Allow attackers to access application pages.

· Elevation of privileges

From web application, perspective access control can be achieved by maintaining session and authentication.

· Authorization: Particular user such as normal user can access only those resource for which they got the permissions.

Sometimes access to critical and nonpublic resources are not implemented correctly So attackers can perform actions by exploiting those weak access controls and accessing some of the sensitive information.

Privilege can be escalated to horizontal or vertical.

Horizontal Privilege Escalation: When application have 2 users of same level (both are customers of a website) such as “A” and “B” and “A” accesses the resources of “B”.

Image for post
Image for post

Vertical Privilege escalation: When application have two different users with different user rights such as admin and staff member. Now if member accesses the functionality of the admin then it is known as the vertical privilege escalation.

Example: while testing an application accessing the “administrator-panel” requires the login credentials but while crawling the application we got an folder name administrator-panel upon accessing the page directly we get the access to the admin panel.

Image for post
Image for post
Image for post
Image for post
Image for post
Image for post

So here, user can escalating his privilege towards admin account only by searching admin panel URL. This admin panel has no restrictions so any one can use admin functionality.

· Authentication: To check who you are or verify a user identity.

Example: Such as if you claim you are admin so you should have password of admin.

Exploitation: We have to escalate the admin privileges to upgrade a user access. In order to do this first we need to check what happens when admin upgrades an user i.e. how the request looks like and what are the security features they are using.

SO logged from admin account and checked how the request of upgrading and downgrading user looks like

Intercepted Request of upgrading a user:

Image for post
Image for post

Now I will send this request in the repeater and will login with the normal user account.

Normal user doesn’t have the functionality to upgrade or downgrade the users

We will try to replicated the upgrade user request with the cookie of the normal user.

Image for post
Image for post

Because cookie is the only mechanism, by which the website is differentiating with the access control of admin and normal users.

Copied the session cookie of the normal user “session=xriDvYvh49RbjpjuZ63JvDFjXdT3GQD6” and replace session value from admin account.

Updated admin request:

Image for post
Image for post

Pasted in the request which was used to upgrade the user.

After sending request we can see that the users has been upgraded from the normal user account.

Remediation

· Verify the authenticity of the users while performing different type of actions.

· Assign a csrf token and a verify the referrer header for the initial check.

Written by

Security enthusiast working to secure web for others https://twitter.com/BoredSecEngg

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store