Access control vulnerabilities

Access control - Often the Weakest Link in Application Security

Easy
15 min

Challenging problem

Often there is a simple solution to avoid vulnerabilities. SQL injections can be avoided by using a secure library for making SQL queries. XML External Entity (XXE) can be avoided by securely initializing the XML processor. And numerous other examples.

However, access control is not included in this group. Application access control is usually not particularly difficult, but it is incredibly easy to make one critical mistake and jeopardize the security of the entire application. Problems related to access control are also easy for an attacker to find and exploit.

What is access management?

Identification refers to the process of requesting some form of identification information from the user, such as a username and password, which can be used to verify that the user is who they claim to be.

Session management refers to the process of securely transporting the user's identity between the browser and the server once the user has been authenticated, so that the user does not have to enter their username and password again every time they click on something on the page.

Access control, or authorization, refers to the process when an application makes a decision whether a certain user is allowed to do/see something or not.

The following examples are access control decisions:

  • Can user X see user X's information?
  • Can user X delete user Y's data?
  • Can user X use function Y?

Appearance can be deceiving

It is important to remember that the user of the application is not limited to the application's user interface. The application user is limited to the HTTP interface provided by the application, and a user interface has been created to facilitate its use.

This means that it is extremely important for the application to take care of access control on the server, not just on the client side. It does not matter for access control purposes what menus are visually selectable in the application. The only thing that matters is what the code on the server does with the HTTP request that comes from the user.

Exercise

Open the application and try to make a bank transfer. You can find IBAN addresses to which transfers can be made on the "Contacts" tab. What does the HTTP request look like? Can you select an IBAN number as the sender of the bank transfer that does not belong to you from the user interface? What if you try to change the number directly in the HTTP request?

A bank robbery

In this lab, you get to practice bypassing access control, when the application mistakenly relies solely on the access control in the visible user interface.

Objective

Get over 5000€ into your account.

Exercises

Flag

Find the flag from the lab environment and enter it below.

Test your access control!

Because the possibility of human error in access control controls is so high, it is important that the functionality of access control is tested in unit and integration tests. For example:

  • Can the operation be performed if the user has not authenticated at all?
  • Can the operation be performed if logged in as a user who should not have access to the information?
  • Can the operation be performed if logged in with a user who should not have permissions for the operation?
hakatemia pro

Ready to become an ethical hacker?
Start today.

As a member of Hakatemia you get unlimited access to Hakatemia modules, exercises and tools, and you get access to the Hakatemia Discord channel where you can ask for help from both instructors and other Hakatemia members.