We will first take a look at what OWASP has to say on the threat agents and attack vectors.
“Exploitation of access control is a core skill of attackers. SAST and DAST tools can detect the absence of access control but cannot verify if it is functional when it is present. Access control is detectable using manual means, or possibly through automation for the absence of access controls in certain frameworks.”
So we can see from this that the vulnerability takes a lot of time and research to accurately test it but identifying potential can be done with tools. Tools can’t do everything for you and could also lead you to test numerous false positives.
Let’s look at the impacts of this vulnerability to see how detrimental it can be.
“The technical impact is attackers acting as users or administrators, or users using privileged functions, or creating, accessing, updating or deleting every record. The business impact depends on the protection needs of the application and data.”
If we take a look at what OWASP has to say in regards to what makes the application vulnerable, it gives us a list of things to check that could indicate that the application is vulnerable.
Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification or destruction of all data, or performing a business function outside of the limits of the user. Common access control vulnerabilities include:
- Bypassing access control checks by modifying the URL, internal application state, or the HTML page, or simply using a custom API attack tool.
- Allowing the primary key to be changed to another’s users record, permitting viewing or editing someone else’s account.
- Elevation of privilege. Acting as a user without being logged in, or acting as an admin when logged in as a user.
- Metadata manipulation, such as replaying or tampering with a JSON Web Token (JWT) access control token or a cookie or hidden field manipulated to elevate privileges, or abusing JWT invalidation
- CORS misconfiguration allows unauthorized API access.
- Force browsing to authenticated pages as an unauthenticated user or to privileged pages as a standard user. Accessing API with missing access controls for POST, PUT and DELETE.
Types of access controls:
- Authentication: identifies the user and confirms that they are who they say they are.
- Session Management: identifies which subsequent HTTP requests are being made by that same user.
- Access control: determines whether the user is allowed to carry out the action that they are attempting to perform.
- Vertical access controls: mechanisms that restrict access to sensitive functionality that is not available to other types of users.
- Horizontal access controls: mechanisms that restrict access to resources to the users who are specifically allowed to access those resources.
- Content-dependent access controls: restrict access to functionality and resources based upon the state of the application or the user’s interaction with it.
Understanding the access control you are trying to deal with will have a different method of approaching them.