Authorization the process of giving someone permission to do or have something
it defines how access is controlled in the context of what is access by whom.
In authorization we can talk about three types of authorities:
1- Vertical authority: it is about the level of access to specific functionality
set for each type of users an example is the difference in authority
between administrator and a normal user.
2- Horizontal authority: this type of authority is about controlling the access
in the same functionality, as example having the authority to access the
web mail functionality does not mean ability to access any email account.
3- Contextual authority: this type of authority is related to current
application state which can be explained in the perspective of multistage
process where available functionalities are specified according to present
state.
attacking those concentrate accordingly on breaking the access control using
three methods:
- Vertical privilege escalation: The focus in this method is to gain higher level of access related to more privileged type of users.
- Horizontal privileges escalation: tries to compromise resources to which he is not entitled. For example, in web mail application to read other people’s e-mail
- Business logic exploitation tries to exploit a flaw in the application’s state machine to have access to an important resource. For example, a user may be able to bypass the payment step in a shopping checkout sequence.
Attack requirement:
A. Different privileges to different users on functionalities
B. Different privileges to different users on resources.
C. Privileged user used functionalities are in the same application containing
configuration and motoring it
Attack Process:
A. Configure Burp as a proxy and disable interception, browse all the
application’s content within one user context. If the target is to test
vertical access controls higher privileges account should be used.
B. Be sure to map all functionalities by checking Burp’s site map.
C. use the context menu to select the “compare site maps” feature.
D. To select the second site map to be compared, you can either load this
from a Burp state file or have Burp dynamically re-request the first site
map in a new session context.
E. To test horizontal access controls between users of the same type, you
can simply load a state file you saved earlier, having mapped the application as a different user. For testing vertical
access controls, it is preferable to re-request the high-privilege site map
as a low-privileged user, because this ensures complete coverage of the
relevant functionality.
F. To re-request the first site map in a different session, you need to
configure Burp’s session-handling functionality with the details of the
low-privilege user sessin (for example, by recording a login macro or
providing a specific cookie to be used in requests
G. It is necessary that define suitable scope rules to prevent Burp from
requesting any logout function.
Data storage is one of the main components of most of web applications, it
contains the information about the key business functionalities in addition to
users account information which makes it a delicious meal for an attacker.
Data storages have many types that rely on multiple technologies, it can be as
simple as plain text file or sophisticated Data base management system like
Oracle.
No matter what used Data stores are it can become vulnerable if the attacker
finds a way to interface the data store through the application functionalities or
being able to access it directly in case of Data remote access availability.
Injection is one of the common types of attacks that commonly executed to
compromise data stores, it generally depends on the nature of interpreted
languages characterized by parsing and executing instructions in the run time.
PHP, Perl, SQL and LDAP are well-known examples of interpreted languages
used in web application development.
The main idea that helps in compromising interpreted language is being able to
inject special characters or instruction that have grammar match in the language
syntax.
The following listing a simple SQL syntax that retrieve user records that has a
matching user name and password to those entered in quotations.
Select * from users where username = ‘usrName’ and password = ‘pass’
If the application that include this syntax is vulnerable to injection by mean of
absence of sanitization functionality for entered values, the attacker will be able
to enter the value of
( admin’- - ) in the user name and any password to gain administrator account
privileges as the resulting code that is going to be executed by the interpreter is:
Select * from users where username = ‘admin’- -‘ and password = ‘anyPass’
The (- -) is the special syntax to begin comment in SQL, which means that the
interpreter will ignore everything after (--) and will retrieve the admin record.
0 comments: