300 likes | 619 Views
Attacking Access Control. Software Security Jorina van Malsen. Outline. Access Controls Access Control Vulnerabilities Securing Access Controls Attacking Access Controls. Access Controls.
E N D
Attacking Access Control Software Security Jorina van Malsen
Outline Access Controls Access ControlVulnerabilities Securing Access Controls Attacking Access Controls
Access Controls A system which enables an authority to control access to areas and resources in a given physical facility or computer-based information system. Access controls are a critical defense mechanism within the application because they are responsible for making the decision of whether it should permit a given request to perform its attempted action of access the resources that it is requesting. When they are defective, an attacker can often compromise the entire application, taking control of administrative functionality and accessing sensitive data belonging to every other user. Are among the most commonly encountered categories of web application vulnerability (ch. 1)
CommonCategories of Vulnerabilities 1. BrokenAuthentication Encompassesvarious defects within the application’s login mechanism 2. Broken Access Controls Applicationfails to properly protect access to data and its functionality 3. SQL Injection Enables an attacker to submit crafted input to interfere with the application’s interaction with back-end databases. 4. Cross-SiteScripting Enablesanattacker to target other users of the application 5. InformationLeakage Anapplicationdivulges sensitive information that is of use to an attacker in developing an assault against the application, through defective error handlingorotherbehavior
Verticalvs Horizontal Access Controls Vertical Access Controls: Allow different types of users to access different parts of the application’sfunctionality Divisionbetweenordinaryusers and administrators Horizontal Access Controls: Allowusers to access a certain subset of a wider range of resources of the same type Web mail applicationmayallowyou to readyour email butnooneelse’s; youcanonlyseeyourown details
Access ControlVulnerabilities Access controls are brokenifany user is able to accessfunctionalityor resources forwhichhe is notauthorized Among the mot commonlyencounteredcategories of web applicationvulnerabilities Twomain types of attackagainstaccesscontrols 1. Vertical privilege escalation When a user canperformfunctionsthattheirassignedrole does not permit them to do 2. Horizontal privilege escalation When a user can view ormodify resources to whichhe is notentitled
Access ControlSecurity and itsWeaknesses 1. CompletelyUnprotectedFunctionality 2. Identifier-BasedFunctions 3. MultistageFunctions 4. Static Files
CompletelyUnprotectedFunctionality In many cases of brokenaccesscontrols, sensitive functionality and resources canbeaccessedbyanyonewhoknows the relevant URL • E.g. whenhttps://wahh-app.com/admin/allows user to enter certain user interface. • Weaknesses: • URL canbeguessed (especiallyby insider) • Link appears in browser histories and the logs of web servers and proxy servers • Usersmaywritethem down, bookmark themor email themaround • They are notnormallychangedperiodically, as passwordsshouldbe • Whenuserschange job roles, and theiraccess to administrativefunctionalityneeds to bewithdrawn, there is noway to delete theirknowledge of a particular URL.
Identifier-BasedFunctions When a function of anapplication is used to gainaccess to a specific resource, it is verycommon to seeanidentifierfor the requested resource beingpassed to the server in a request parameter, eitherwithin the URL query stringor the body of a post request • When the user whoowns the document is logged in, a link to this URL is displayedon the user’s My Documents page. Otherusers do notseethis link. In order to beable to open the link/applicationanattackerneeds to know the name of the application page and the identifier of the document he wishes to view. • Weaknesses: • Passwordsoften easy to guess • Lots of peoplewrite down resources identifiersor save themontheir computer, so easy to find
MultistageFunctions Involvescapturing different items of data from the user at each stage. This data is strictlycheckedwhenfirstsubmitted and then is usallypassed to eachsubsequent stage, usinghiddenfields in an HTML form. MainWeaknesses: Oftenassumedby the developers is thatany user whoreaches the later stages of the process must have the relevant privileges becausethis was verified at the earlier stages Alsooftenassumed is thatpeoplewillaccessapplication pages in the intendedsequence; bytaking “otherpath” peoplecouldavoid user identification
Static Files In some cases, requestsforprotected resources are made directly to the static resources themselves, which are locatedwithin the web root of the server. • e.g. an online publishermayallowusers to browseitsbookcatalog and purchaseebooksfor download. Once the payment has been made, the user is directed to a download URL. As this is a completely static resource, it does notexecuteon the server, and its contents are simplyreturneddirectlyby the web server. Hence, the resource itselfcannotimplementanylogic to verifythat the requisting user has the privileges. When static resources are accessed in thisway, it is highlylikelythatthere are noeffectiveaccesscontrolsprotectingthem and thatanyonewhoknows the URL namingschemecanexploitthis to accessay resources theydesire.
Securing Access Controls: Pitfalls Access controls are one of the easiest areas of web applicationsecurity, though, there are severalobviouspitfalls to avoid: • Usuallyarisefromignoranceabout the essentialrequirements of effectiveaccesscontrolorflawedassumptionsabout the kinds of requeststhatuserswillmake and againstwhich the applicationneeds to defentitself • Web applicationdevelopersoftenimplementaccesscontrolfunctionson a piecemeal basis, adding code to individual pages in cases wherethey register thatsomeaccesscontrol is required, and oftencutting and pasting the same code between pages to implementsimilarrequirements. • Do not trust anyuser-submitted parameters to signifyaccessrights (such as admin = true) • Do notassumethatuserswillaccessapplication pages in the intendedsequence (makesurepeoplewillalsonotbeable to avoidaccesscontrolsbytaking a different “path”) • Do not trust the user not to tamperwithany data that is transmitted via the client. Ifsomeuser-submitted data has been validated and is thentransmitted via the client, do notrelyupon the retransmittedvalue without revalidation.
ImplementingEffective Access Controls within Web Applications (1) Explicitlyevaluate and document the accesscontrolrequirementsforevery unit of applicationfunctionality. Thisneeds to includebothwhocanlegitimatelyuse the function and what resources individualusersmayaccess via the function.
ImplementingEffective Access Controls within Web Applications (2) Drive all accesscontroldecisionsfrom the user’ssession
ImplementingEffective Access Controls within Web Applications (3) Use a centralapplication component to check accesscontrols • Advantages: • Increases the clarity of access controlswithin the application, enabling different developers to quicklyunderstand the controlsimplementedbyothers • Maintainance more efficient and reliable. Most changeswillonlyneed to beappliedonce, to a single shared component, and willnotneed to becut and pasted to multiple locations. • Itimprovesadaptability. Wherenewaccesscontrolrequirementsarise, these canbeeasilyreflectedwithinanexisting API implementedbyeachapplication page • In results in fewermistakes and omissionsthanifaccesscontrol code is implementedpiecemealthroughout the application
ImplementingEffective Access Controls within Web Applications (4) Processevery single clientrequest via this component to validatethat the user making the request is permitted to access the functionality and resources beingrequested
ImplementingEffective Access Controls within Web Applications (5) Use programmatic techniques to ensurethatthere are noexceptions to the previous point. • Aneffectiveapproach is to mandatethateveryapplication page must implementan interface that is queriedby the centralaccesscontrolmechanism. Byforcingdevelopers to explicitly code accesscontrollogicintoevery page, therecanbenoexcuseforomissions
ImplementingEffective Access Controls within Web Applications (6) For particularly sensitive functionality, such as administrative pages, youcanfurtherrestrictaccessby IP address to ensurethatonlyusersfrom a specificnetwork range are able to access the functionality, regardless of their login status.
ImplementingEffective Access Controls within Web Applications (7) If static content needs to beprotected, there are twomethods of providingaccesscontrol: Static files canbeaccessedindirectlyby passing a file name to a dynamicserver-side page whichimplements relevant accesscontrollogic Direct access to static files canbecontrolledusing HTTP authenticationorother features of the application server to wrap the incomingrequest and check the permissionsfor the resource beforegrantingaccess.
ImplementingEffective Access Controls within Web Applications (8) Identifiersspecifyingwhich resource a user wishes to access are vulnerable to tamperingwheneverthey are transmitted via the client. The server should trust only the integrity of server-side data. Any time these identifiers are transmitted via the client, theyneed to berevalidated to ensure the user is authorized to access the requested resource
ImplementingEffective Access Controls within Web Applications (9) For security-criticalapplicationfunctionssuch as the creation of a newbillpayee in a banking application, considerimplementingper-transactionreauthentication and dualauthorization to provide additionalassurancethat the function is notbeingusedbyanunauthorized party. Thiswillalsomitigate the consequences of otherpossibleattacks, such as sessionhijacking
ImplementingEffective Access Controls within Web Applications (10) Log everyeventwhere sensitive data is accessedor a sensitive action is performed. These logs willenablepotentialaccesscontrolbreaches to bedetected and investigated
A Multi-Layered Privilege Model Issues relating to accessapplynotonly to the web applicationitselfbutalso to the otherinfrastructuretieswhichliebeneathit In this case, these accesscontrolscouldbe a goodalternative: Programmatic Control Discretinary Access Control (DAC) Role-Based Access Control (RBAC) DeclarativeControl
Programmatic Control The matrix of individual database privileges is stored in a tablewithin the database, and appliedprogrammatically to enforceaccesscontroldecisions. The classification of user roles provides a shortcutforapplyingcertainaccesscontrolchecks, and this is alsoappliedprogrammatically Advantages: - Itcanbeextremelyfine-grained - Itcanbuild in arbitrarily complex logicinto the process of carrying out accesscontroldecisionswithin the application
Discretionary Access Control (DAC) Variousappicationusers have privileges to create user accounts Closed DAC Model Access deniedunlessexplicitlygranted Open DAC Model Access is permittedulessexplicitlywith-drawn
Role-Based Access Control (RBAC) Namedroleswhichcontain different sets of specific privileges. Each user is assigned to one of these roles. Enablesmanyunauthorizedrequests to bequicklyrejectedwith a minimum amount of processing beingperformed Number of rolesshouldbebalanced Toomanyroles Difficult to manage accurately Too few roles Resultingroleswillbeassigned privileges that are notstrictlynecessaryfor performance of theirfunction
DeclarativeControl Usesrestricted database accounts whenaccessing the database Employs different accounts for different groups of userswitheach account having the least level of privilege necessaryforcarrying out the actionswhichthatgroupispermitted to perform Advantage: Even if a user finds a means of breaching the accesscontrolsimplementedwithintheapplication tier, so as to perform a sensitive actionsuch as adding a new user, theywillbepreventedfromdoingsobecause the database account thatthey are using does not have the required privileges within the database
Attacking Access Controls Finding a break in access controls is almost trivial • Request a common administrative URL and gain direct access to the functionality. • In other cases, it may be very hard, and subtle defects may lurk deep within application logic, particularly in complex, high-security applications. • The most important lesson when attacking access controls is to look everywhere. If you are struggling to make progress, be patient and test every single step of every application function. A bug that allows you to own the entire application may be just around the corner.