cancel
Showing results for 
Search instead for 
Did you mean: 
Janibasha
F5 Employee
F5 Employee

In 1st article we covered introduction of OWASP & A03 Injection attacks and mitigation using F5 Distributed Cloud (F5 XC). This article is in continuation of the series and will cover broken access control. 

 

Introduction to A01 Broken Access Control attack: 

Access controls enforces policy such that users cannot act outside of their intended permissions. Also called authorization, allows or denies access to your application's features and resources. Misuse of access control enables: 

  1. Unauthorized access to sensitive information. 
  2. Privilege escalation. 
  3. Illegal file executions. 

There are many ways to infiltrate application servers using broken access controls and we are going to focus on the 2 scenarios below and how to mitigate them.  

 

Scenario 1: Broken access + SQL injection attack 

Instead of logging with valid credentials, attacker uses SQL injection attacks to login as another standard or higher privileged user, like admin. We can also say this is broken authentication, because an attacker authenticated to a system using injection attack without providing valid credentials. 

For this demo I am using OWASP Juice shop (reference links at bottom for more info). 

Step1:  

Please follow steps suggested in Article1 to configure HTTP load balancer and WAF in cloud console. Make sure WAF is configured in Monitoring mode to generate the attack. 

Step2:  

Open a browser and navigate to the login page of the application load balancer. In the Email field provide “' OR true --” and any password as below: 

loginPage.jpg

Step3:  

Validate you can login to application as administrator as below:

loginPage2.jpg

 

Scenario2: File upload vulnerability 

Any file which has the capability to harm the server is a malicious file. For example, a php file which has some dangerous php functions like exec () can be considered as a malicious file as these functions can execute OS command and can remotely provide us the control of the application server.  

Suppose there is a file upload functionality in the web application and only jpeg extension file is allowed to be uploaded. Failing to properly enforce access restrictions on file properties can lead to broken access control attacks providing attackers a way to upload potentially dangerous files with different extensions. For this demo I am using DVWA as the vulnerable testing application (reference links at bottom for more info). 

 

Step by step process:  

Step1:  

Open a notepad editor and paste below contents and save to desktop as malicious.php 

Mohammed_Janiba_2-1655901940142.png

Step2: 

Open a browser and navigate to the application load balancer URL. Login to DVWA application using admin/password as the credentials. Click on “File Upload” option in left side of the menu section. 

 fileupload.jpg

Step3: 

This page is used to upload images with extensions .jpeg, .png, .gif etc. But this demo application doesn’t have file restrictions enabled making attackers to upload any file extensions.  

Click on “Choose File” button and upload above created .php file. 

Mohammed_Janiba_14-1655903408664.png

Step4: 

Note the location displayed in the message, open the URL in the browser and validate we can see all the users available as below. 

Mohammed_Janiba_13-1655903360489.png

 

Solution:  

  1. To mitigate these attacks, navigate to Firewall section and in “App Firewall” configuration make sure “Enforcement Mode” is set to “Blocking” as below:
    firewall.jpg
  2.  Next in browser try to generate above scenarios and validate your request is blocked as below. 
    Login Mitigation: 
    loginPage3.JPG
    Illegal File Upload mitigation: 
    fileuploadblock.jpg
    Illegal File Execution mitigations: 
    fileuploadblock2.jpg

  3. In Distributed Cloud Console expand the security event and check the WAF section to understand the reason why request was blocked.
    log.jpg

      

Conclusion:  

As shown above, OWASP Top 10: Broken access control attacks can be mitigated by configuring WAF firewall in “Blocking” mode. 

 

For further information click the links below: 

  1. OWASP - Broken access control
  2. File Upload Vulnerability
  3. OWASP Juice Shop
  4. DVWA
Version history
Last update:
‎08-Sep-2022 07:06
Updated by:
Contributors