On a very high level if I explain,
When in an application it is possible to access functions for which you are not authorised , then that application has this vulnerability.
Some of you might be having this question that – why will this happen..?
The reasons can be :-
- No server side authentication
- No or Limited Access controls.
- Authorization solely based on data which the users enter.
Below is the DEMO of how this works:
1)Below is the login page for one of the Banks.
2)Account types – Admin account, Generic, Personal (staff/employee), Customer
We will try logging in by admin account and then by customer account, just to see what the difference is.
Now logging with a customer account,
To an untrained eye this, this is not a vulnerability but when it comes to bug hunting, here is what we do.
- Log in with the user account (John’s may be)
- Now hers is the trick: Change the URL.
- Change the URL as below
- This can e found out by spidering the site and many other ways.
- You will again be rendered the edit users page.
- Delete the users, modify, add , create a secret user for attacking etc.(EXPLOIT)
- “Presentation layer access control” – BAD option, you have see how this can be exploited. It should be there but along with further checks.
- Implicit deny – deny all and restrict the access to functions which have privileges
- Introduce checks in the business logic – Any request made for a privilege function/page should be further checked that whether it is allowed or not.
- Example in the above example, one of the solutions can be that user be asked to enter the credentials again. Then further it can be checked that whether to render the page or not.
- Canonical to full path resolution
- Access Matrix to be present – This can be different for files, DB ,Servers etc.
- Principle of least privileges to be folowed – Grant least privileges required
- Access control policy and it’s implementation to be in place