Authorization is the process of enforcing policies: determining what types or qualities of activities, resources, or services a user is permitted.
Authorization Vulnerabilities:
1. Forceful Browsing
2. Privilege Escalation
2. Privilege Escalation
1. Forceful Browsing
Forceful browsing is the act of gaining access to the constrained areas in a web server directory without authentication.
An attacker, in this act forcefully browses through several parts of a website via direct URL entry. A large number of available automatic tools and crawlers are used in forceful browsing for the purpose of carrying out malicious tasks.
Forceful browsing can prove devastating to any website. It leads to information leakage that may diminish the goodwill of a website.
Eg: http://www.example.com/system/
An attacker, in this act forcefully browses through several parts of a website via direct URL entry. A large number of available automatic tools and crawlers are used in forceful browsing for the purpose of carrying out malicious tasks.
Forceful browsing can prove devastating to any website. It leads to information leakage that may diminish the goodwill of a website.
Eg: http://www.example.com/system/
2. Privilege escalation:
Horizontal privilege escalation is exploiting an authorization vulnerability to gain the privileges of a peer user with equal or lesser privileges within the application.
Vertical privilege escalation is the ability to upgrade or gain access to a higher account status or permission level.
Methods to exploit privilege escalation vulnerability:
- Parameter Modification
- Exploiting Other Security Flaws
- Insecure Admin Functions
Parameter Modification
Applications often use session cookies/ hidden parameters to store access control role information.
If these parameters and values are predictable, they could be easily tampered to gain higher privileges.
Eg: Application uses ‘admin’ cookie attribute to determine whether a user is admin or not.
Cookie: JSESSIONID=0000d8eyYq3L0z2fgq10m4v-rt4:-1; admin=1;
If these parameters and values are predictable, they could be easily tampered to gain higher privileges.
Eg: Application uses ‘admin’ cookie attribute to determine whether a user is admin or not.
Cookie: JSESSIONID=0000d8eyYq3L0z2fgq10m4v-rt4:-1; admin=1;
Exploiting Other Security Flaws
Other application vulnerabilities like SQL Injection may allow access to data that is intended only to higher privileged users or could help to change privileges to higher order privileges
Insecure Admin functions
Administration functions sometimes may not be authenticated or authorized properly
For instance: Application accepts an Administrative Post request (eg: to page http://www.example.com/admin/utils/updatedetails.asp ) from a normal user.
For instance: Application accepts an Administrative Post request (eg: to page http://www.example.com/admin/utils/updatedetails.asp ) from a normal user.
Authorization Vulnerabilities Prevention Measures:
Set appropriate user roles and privileges for each application resource (web pages, database etc.,)
Check for user privileges for each user request appropriately.
Check for user privileges for each user request appropriately.
No comments:
Post a Comment