Mitigating OWASP Web Application Risk: Broken Access attacks using F5 Distributed Cloud Platform

This article is in continuation of the owasp series and will cover broken access control. Check here for overview article.

 

Introduction to Broken Access Control attack: 

Access controls enforces policy such that users cannot act outside of their intended permissions. Also called authorization, allows or denies access to your application's features and resources. Misuse of access control enables: 

1. Unauthorized access to sensitive information. 
2. Privilege escalation. 
3. Illegal file executions. 

There are many ways to infiltrate application servers using broken access controls and we are going to focus on the 2 scenarios below and how to mitigate them.  

 

Scenario 1: Broken access + SQL injection attack 

Instead of logging with valid credentials, attacker uses SQL injection attacks to login as another standard or higher privileged user, like admin. We can also say this is broken authentication, because an attacker authenticated to a system using injection attack without providing valid credentials. 

For this demo I am using OWASP Juice shop (reference links at bottom for more info). 

Step1:  

Please follow steps suggested in Article1 to configure HTTP load balancer and WAF in cloud console. Make sure WAF is configured in Monitoring mode to generate the attack. 

Step2:  

Open a browser and navigate to the login page of the application load balancer. In the Email field provide “' OR true --” and any password as below: 

Step3:  

Validate you can login to application as administrator as below:

 

Scenario2: File upload vulnerability 

Any file which has the capability to harm the server is a malicious file. For example, a php file which has some dangerous php functions like exec () can be considered as a malicious file as these functions can execute OS command and can remotely provide us the control of the application server.  

Suppose there is a file upload functionality in the web application and only jpeg extension file is allowed to be uploaded. Failing to properly enforce access restrictions on file properties can lead to broken access control attacks providing attackers a way to upload potentially dangerous files with different extensions. For this demo I am using DVWA as the vulnerable testing application (reference links at bottom for more info). 

 

Step by step process:  

Step1:  

Open a notepad editor and paste below contents and save to desktop as malicious.php 

Step2: 

Open a browser and navigate to the application load balancer URL. Login to DVWA application using admin/password as the credentials. Click on “File Upload” option in left side of the menu section. 

 

Step3: 

This page is used to upload images with extensions .jpeg, .png, .gif etc. But this demo application doesn’t have file restrictions enabled making attackers to upload any file extensions.  

Click on “Choose File” button and upload above created .php file. 

Step4: 

Note the location displayed in the message, open the URL in the browser and validate we can see all the users available as below. 

 

Solution:  

1. To mitigate these attacks, navigate to Firewall section and in “App Firewall” configuration make sure “Enforcement Mode” is set to “Blocking” as below:
   
   
2.  Next in browser try to generate above scenarios and validate your request is blocked as below. 
   Login Mitigation: 
   
   Illegal File Upload mitigation: 
   
   Illegal File Execution mitigations: 
   
   
3. In Distributed Cloud Console expand the security event and check the WAF section to understand the reason why request was blocked.
   
   

     

Conclusion:  

As shown above, OWASP Top 10: Broken access control attacks can be mitigated by configuring WAF firewall in “Blocking” mode. 

 

For further information click the links below: 

1. OWASP - Broken access control
2. File Upload Vulnerability
3. OWASP Juice Shop
4. DVWA