Access control
What is access control? - Portswigger
Access control (or authorization) is the application of constraints on who (or what) can perform attempted actions or access resources that they have requested. In the context of web applications, access control is dependent on authentication and session management:
- Authentication identifies the user and confirms that they are who they say they are.
- Session management identifies which subsequent HTTP requests are being made by that same user.
- Access control determines whether the user is allowed to carry out the action that they are attempting to perform.
Vertical access controls
Different types of users have access to different application functions:
For example:
- Admin may delete or modify any users’ account
- User may not have access to these actions
Vertical access controls can be more fine-grained to enforce business policies such as separation of duties and least privilege
Horizontal access controls
Restrict access to resources to the users who are specifically allowed to access those resources.
Example:
- Alice can view her transactions and make payments for their own account
- Alice can’t make any of these actions for Bob’s account
Context-dependent access controls
Restrict access to functionality and resources based upon the state of the application or the user’s interaction with it.
Example:
- Cannot access to a company facility after midnight unless you’re guard
- A retail website might prevent users from modifying the contents of their shopping cart after they have made payment.
- Users who login from another country (i.e behind vpn) can’t use the logged in session but must authenticate themself again.
Escalations
Vertical privilege escalation
Happen when an user gain access to functionality that they are not permitted.
Merely hiding sensitive functionality does not provide effective access control since users might still discover the obfuscated URL in various ways.
Parameter-based access control methods Some application determine the user’s access right with paremeters that can be controllable by the user, like a predictable cookie
- Portswigger lab example unprotected admin panel
- Portswigger Lab: User role can be modified in user profile
Broken access control resulting from platform misconfiguration Some application enforce access controls at platform layer by restricting access to specific URLS and HTTP methods based on the role
Broken access control resulting from URL-matching discrepancies: it is possible that /ADMIN/DELETEUSER may still be mapped to the same /admin/deleteUser endpoint and if the access control mechanism, this may be exploited.
In the Spring Framework, if developers have enabled the useSuffixPatternMatch option, the it is possible to map an arbitrary file extentions to an equivalent endpoint with no extensions.
In other words: /admin/deleteUser.anything would still match the /admin/deleteUser pattern.
Another example may be that, /admin/deleteUser is treated different from /admin/deleteUser/ and you may be able to bypass this
Horizontal privilege escalation
Horizontal privilege escalation arises when a user is able to gain access to resources belonging to another user, instead of their own resources of that type.
Insecure direct object references
They are a subcategory of access control vulnerabilities. They aries when an application uses user-supplied input to access objects directly and an attacker can modify the input to obtain unauthorized access.
Access control vulnerabilities in multi-step processess:
- Sometimes website assume that a user will only reach step 3 if they have already completed the first sptes, which are properly controlled.
- Referer-based access control: even worste than previous point, it only check
Refererheader submitted in HTTP request - Location-based access control: enforce access controls over geographical location. For example a website that allows only people from Russia to login. This can be circumvented with a VPN or manipulation of client-side geolocation mechanisms
How to prevent Access Control Vulnerabilities
- Don’t rely on security but obscurity alone
- By default deny access to resources unless they’re public
- Use single application-wide mechanism for enforcing access controls