Friday, March 2, 2018

Authorization and Attack Execution-data stores

Résultat de recherche d'images pour "‫عملية ااختراق‬‎"

Authorization the process of giving someone permission to do or have something it defines how access is controlled in the context of what is access by whom. In authorization we can talk about three types of authorities: 

1- Vertical authority: it is about the level of access to specific functionality set for each type of users an example is the difference in authority between administrator and a normal user. 
2- Horizontal authority: this type of authority is about controlling the access in the same functionality, as example having the authority to access the web mail functionality does not mean ability to access any email account. 
3- Contextual authority: this type of authority is related to current application state which can be explained in the perspective of multistage process where available functionalities are specified according to present state. 

attacking those concentrate accordingly on breaking the access control using three methods: 
  •  Vertical privilege escalation: The focus in this method is to gain higher level of access related to more privileged type of users. 
  •  Horizontal privileges escalation: tries to compromise resources to which he is not entitled. For example, in web mail application to read other people’s e-mail 
  •  Business logic exploitation tries to exploit a flaw in the application’s state machine to have access to an important resource. For example, a user may be able to bypass the payment step in a shopping checkout sequence.  

Attack requirement: 

A. Different privileges to different users on functionalities 
B. Different privileges to different users on resources. 
C. Privileged user used functionalities are in the same application containing configuration and motoring it 

Attack Process: 

A. Configure Burp as a proxy and disable interception, browse all the application’s content within one user context. If the target is to test vertical access controls higher privileges account should be used. 

B. Be sure to map all functionalities by checking Burp’s site map. 

C. use the context menu to select the “compare site maps” feature. 

D. To select the second site map to be compared, you can either load this from a Burp state file or have Burp dynamically re-request the first site map in a new session context. 

E. To test horizontal access controls between users of the same type, you can simply load a state file you saved earlier, having mapped the application as a different user. For testing vertical access controls, it is preferable to re-request the high-privilege site map as a low-privileged user, because this ensures complete coverage of the relevant functionality.

 F. To re-request the first site map in a different session, you need to configure Burp’s session-handling functionality with the details of the low-privilege user sessin (for example, by recording a login macro or providing a specific cookie to be used in requests 

G. It is necessary that define suitable scope rules to prevent Burp from requesting any logout function.

Data storage is one of the main components of most of web applications, it contains the information about the key business functionalities in addition to users account information which makes it a delicious meal for an attacker. Data storages have many types that rely on multiple technologies, it can be as simple as plain text file or sophisticated Data base management system like Oracle.

No matter what used Data stores are it can become vulnerable if the attacker finds a way to interface the data store through the application functionalities or being able to access it directly in case of Data remote access availability. Injection is one of the common types of attacks that commonly executed to compromise data stores, it generally depends on the nature of interpreted languages characterized by parsing and executing instructions in the run time. PHP, Perl, SQL and LDAP are well-known examples of interpreted languages used in web application development. 

The main idea that helps in compromising interpreted language is being able to inject special characters or instruction that have grammar match in the language syntax. 

The following listing a simple SQL syntax that retrieve user records that has a matching user name and password to those entered in quotations. 

Select * from users where username = ‘usrName’ and password = ‘pass’   

If the application that include this syntax is vulnerable to injection by mean of absence of sanitization functionality for entered values, the attacker will be able to enter the value of ( admin’- - ) in the user name and any password to gain administrator account privileges as the resulting code that is going to be executed by the interpreter is:

Select * from users where username = ‘admin’- -‘ and password = ‘anyPass’   

The (- -) is the special syntax to begin comment in SQL, which means that the interpreter will ignore everything after (--) and will retrieve the admin record.
 

0 comments: