Broken Access Control

Introduction

Access control, sometimes called authorisation, determines whether a user is allowed to carry out an action or access unauthorised content. The consequences of a flawed access control scheme can be devastating. In addition to viewing unauthorised content, an attacker might be able to change or delete content, perform unauthorised functions, or even take over site administration.

Access control can be divided into several categories, similar to privilege escalation:

• Vertical access control is focused on accessing resources or functions depending on the individual's level or position within the hierarchy in the application. For instance, the administrator will have access to all resources but a normal user only to a small set.

• Horizontal access control is more oriented to accessing information of users that are at the same level of the hierarchy but have different roles. For example, a user with the role of a salesman might not have access or functionalities permissions that a user with the role accountant.

• Context-dependent access control, resources or information is granted or denied based on the state of the application or the user's interaction with it. To illustrate, a shopping website might prevent users from modifying the contents or quantities of their shopping cart after the payment has been made.

Bypassing Authorization Schema

For every specific role that exists on the application and for every function and request that the application executes during the post-authentication phase, it is necessary to check the following:

• Is it possible to access a certain resource even if the user is not authenticated?

• Is it possible to access a certain resource after logging out?

• Is it possible to access functions and resources that should be accessible to a user that holds a different role or privilege?

Then, try to access the application as an administrative user and track all the administrative functions.

• Is it possible to access administrative functions as a non-admin user?

• Is it possible to use these administrative functions as a user with a different role, and for whom should that action be denied?

In order to facilitate the checks you must perform, there is a BurpSuite extension named Authorize, where you can set the session cookies or headers of a user with a different role in order to check if you can access certain functions or resources as that user or non logged.

Parameter manipulation

While executing certain functions or accessing certain endpoints, the application might send some special parameters like ?role=0 , ?userId=12, ?img=000001. Hence, try to brute force those values trying to get a different response or even access to those assets.

This type of vulnerability can also be known as Insecure Direct Object References (IDOR) when an application provides direct access to objects based on user-supplied input.

Header manipulation

The web application might also check the headers on the request in order to grant access to certain resources or functions.

If the checks the methods in order to grant access to certain assets, try to perform a dictionary attack with every existing HTTP methods.

• The GET method requests a representation of a specific resource. Requests using the GET method should only retrieve data.

• The HEAD method requests a response identical to that of a GET request but without the response body.

• The POST method is used to send an entity to a specific resource, often causing a change in state or side effects on the server.

• The PUT mode replaces all current representations of the destination resource with the payload of the request.

• The DELETE method deletes a specific resource.

• The CONNECT method establishes a tunnel to the server identified by the resource.

• The OPTIONS method is used to describe the communication options for the destination resource.

• The TRACE method performs a message loopback test along the path to the destination resource.

• The PATCH method is used to apply partial modifications to a resource.

You can perform this task with Nmap, despite only working for HTTP sites, with the following command.

nmap -p <PORT> --script http-methods --script-args http-methods.url-path='</index.php>' <HOST>

Another alternative is the use of special HTTP headers like the following.

X-Forwarded-For: 127.0.0.1
X-Forwarded-Host: 127.0.0.1
X-Forwarded-IP: 127.0.0.1
X-Forwarded-Server: 127.0.0.1
X-Client-IP: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Host: 127.0.0.1
X-HTTP-Host-Override: 127.0.0.1
X-Client: 127.0.0.1
X-Host: 127.0.0.1
Referer: https://localhost

You can use, once again, the tool Param Miner to discover headers by right-clicking on the request and then Extensions/Param Miner/Guess params/Guess headers .

Finally, there are tools that perform the combination of both things and also another set of techniques like the Burp Suite plugin 403 bypasser or tools such as byp4xx, bypass-url-parser and dontgo403.

References

• Authorization Testing

• Access control vulnerabilities and privilege escalation