Broken Access Control
Access control, sometimes called authorisation, determines whether a user is allowed to carry out an action or access unauthorised content. The consequences of a flawed access control scheme can be devastating. In addition to viewing unauthorised content, an attacker might be able to change or delete content, perform unauthorised functions, or even take over site administration.
Access control can be divided into several categories, similar to privilege escalation:
- Vertical access control is focused on accessing resources or functions depending on the individual's level or position within the hierarchy in the application. For instance, the administrator will have access to all resources but a normal user only to a small set.
- Horizontal access control is more oriented to accessing information of users that are at the same level of the hierarchy but have different roles. For example, a user with the role of a salesman might not have access or functionalities permissions that a user with the role accountant.
- Context-dependent access control, resources or information is granted or denied based on the state of the application or the user's interaction with it. To illustrate, a shopping website might prevent users from modifying the contents or quantities of their shopping cart after the payment has been made.
For every specific role that exists on the application and for every function and request that the application executes during the post-authentication phase, it is necessary to check the following:
- Is it possible to access a certain resource even if the user is not authenticated?
- Is it possible to access a certain resource after logging out?
- Is it possible to access functions and resources that should be accessible to a user that holds a different role or privilege?
Then, try to access the application as an administrative user and track all the administrative functions.
- Is it possible to access administrative functions as a non-admin user?
- Is it possible to use these administrative functions as a user with a different role, and for whom should that action be denied?
In order to facilitate the checks you must perform, there is a BurpSuite extension named Authorize, where you can set the session cookies or headers of a user with a different role in order to check if you can access certain functions or resources as that user or non logged.
While executing certain functions or accessing certain endpoints, the application might send some special parameters like
?img=000001. Hence, try to brute force those values trying to get a different response or even access to those assets.
This type of vulnerability can also be known as Insecure Direct Object References (IDOR) when an application provides direct access to objects based on user-supplied input.
The web application might also check the headers on the request in order to grant access to certain resources or functions.
If the checks the methods in order to grant access to certain assets, try to perform a dictionary attack with every existing HTTP methods.
GETmethod requests a representation of a specific resource. Requests using the
GETmethod should only retrieve data.
HEADmethod requests a response identical to that of a GET request but without the response body.
POSTmethod is used to send an entity to a specific resource, often causing a change in state or side effects on the server.
PUTmode replaces all current representations of the destination resource with the payload of the request.
DELETEmethod deletes a specific resource.
CONNECTmethod establishes a tunnel to the server identified by the resource.
OPTIONSmethod is used to describe the communication options for the destination resource.
TRACEmethod performs a message loopback test along the path to the destination resource.
PATCHmethod is used to apply partial modifications to a resource.
You can perform this task with Nmap, despite only working for HTTP sites, with the following command.
nmap -p <PORT> --script http-methods --script-args http-methods.url-path='</index.php>' <HOST>
Another alternative is the use of special HTTP headers like the following.