29-Jun-2022 05:00 - edited 21-Jun-2023 23:15
This article is in continuation of the owasp series and will cover broken access control. Check here for overview article.
Access controls enforces policy such that users cannot act outside of their intended permissions. Also called authorization, allows or denies access to your application's features and resources. Misuse of access control enables:
There are many ways to infiltrate application servers using broken access controls and we are going to focus on the 2 scenarios below and how to mitigate them.
Instead of logging with valid credentials, attacker uses SQL injection attacks to login as another standard or higher privileged user, like admin. We can also say this is broken authentication, because an attacker authenticated to a system using injection attack without providing valid credentials.
For this demo I am using OWASP Juice shop (reference links at bottom for more info).
Step1:
Please follow steps suggested in Article1 to configure HTTP load balancer and WAF in cloud console. Make sure WAF is configured in Monitoring mode to generate the attack.
Step2:
Open a browser and navigate to the login page of the application load balancer. In the Email field provide “' OR true --” and any password as below:
Step3:
Validate you can login to application as administrator as below:
Any file which has the capability to harm the server is a malicious file. For example, a php file which has some dangerous php functions like exec () can be considered as a malicious file as these functions can execute OS command and can remotely provide us the control of the application server.
Suppose there is a file upload functionality in the web application and only jpeg extension file is allowed to be uploaded. Failing to properly enforce access restrictions on file properties can lead to broken access control attacks providing attackers a way to upload potentially dangerous files with different extensions. For this demo I am using DVWA as the vulnerable testing application (reference links at bottom for more info).
Step1:
Open a notepad editor and paste below contents and save to desktop as malicious.php
Step2:
Open a browser and navigate to the application load balancer URL. Login to DVWA application using admin/password as the credentials. Click on “File Upload” option in left side of the menu section.
Step3:
This page is used to upload images with extensions .jpeg, .png, .gif etc. But this demo application doesn’t have file restrictions enabled making attackers to upload any file extensions.
Click on “Choose File” button and upload above created .php file.
Step4:
Note the location displayed in the message, open the URL in the browser and validate we can see all the users available as below.
As shown above, OWASP Top 10: Broken access control attacks can be mitigated by configuring WAF firewall in “Blocking” mode.