Access Control Vulnerabilities And Privil3ge Escalation Breakthrough!!!

A warm 32 (degree temperature) Hello to all my security researchers. Today I will be covering, Broken Access control vulnerabilities and privilege escalation.

INTRODUCTION

Access control vulnerabilities are basically flaws that let a user access restricted resources. By exploiting this vulnerability, attackers can circumvent standard security procedures and gain unauthorized access to sensitive information or systems. Access control is the act of imposing restrictions on who or what can perform certain actions or access specific resources.

In the case of web applications, access control relies on authentication and session management. Authentication is the process of verifying the user’s identity, session management keeps track of the user’s subsequent requests, and access control determines if the user has permission to perform a certain action.

Broken access controls are a common and serious security issue. The design and management of access controls is a complex problem that involves various factors such as business, organizational, and legal constraints. It requires human decision-making and there is a high risk of mistakes being made.

From a user perspective, access controls can be divided into the following categories:

• Vertical access controls

Vertical access controls are security measures that restrict access to specific areas of a system.

With vertical access controls, different users have different levels of access to different parts of the application. For example, an administrator might have access to everything, while a regular user doesn’t have access to those sorts of actions. Vertical access controls can be more granular implementations of security models that aim to enforce business policies, such as separation of duties and least privilege.

Now if a user can gain access to some functionality of an administrator or that they are not permitted to access, then is so-called vertical privilege escalation. For example- if a non-administrative user can in fact gain access to an admin page where they can delete user accounts, then this is vertical privilege escalation. Vertical privilege escalation arises where an application does not enforce any protection over sensitive functionality.

• Horizontal access controls

Horizontal access controls are mechanisms used to restrict access to resources to the users who are specifically allowed to access them.

Horizontal access controls allow different users to access a subset of resources of the same type, depending on their role or role group. For example, a banking application allows a user to view their own transactions and make payments from their own account, but not the accounts of any other user.

• Context-dependent access controls

Access controls vary depending on the context in which the application is being used.

Context-dependent access controls prevent a user from performing actions in a certain order, depending on the context of the situation. For example, a website might prevent users from editing their shopping cart after they have made a payment.

How It Works!!!

Access control is divided into three categories: read-only files, readable and writable data, and executable resources. However, these categories can differ based on the file type being used. It is important to follow the approved operating procedure and enforce precise multi-step protocols. The first step is to identify the ID of the subject, which tells the system who is requesting access.

Afterward, the next task involves determining the individual responsible for the inquiry, typically accomplished through an authentication procedure. If the authentication process is successful, the next step is to verify if the person making the request has the necessary authorization to access the requested resources. Additionally, the system determines the level of access that should be given to this person.

Lastly, it is important for the system to have audit mechanisms in place to identify and investigate any possible vulnerabilities. These mechanisms will enable the system to detect any attempts to circumvent access restrictions before they occur.

BROKEN ACCESS CONTROL

Broken access control is a security issue where unauthorized individuals can access data they should not have access to. Access control refers to the measures put in place to ensure that only certain users can access certain components. In any system, there are different people with different roles. Access control ensures that individuals can perform their roles freely, but not have access to the entire system.

When the system is compromised and anyone can gain unauthorized access, chaos ensues. Intruders can bypass security measures and gain the ability to expose confidential information, alter or delete data, or carry out unwanted actions in the business. Broken access control is currently the most significant web app security threat, and there have been numerous successful examples of it. Even small firms have been affected because they relied on unverified data, while even the largest online empires have been targeted by hackers who forcefully browse through their target URLs.

Broken access control refers to the failure of a web application to properly implement and maintain predetermined access rules. These rules can be categorized into three main areas from the perspective of the web application.

• Administrative access control refers to the protocols and policies in place to enforce security measures. This can include personnel protocols such as hiring procedures and background checks, as well as everyday policies.
• Technical access control, also known as logical access control, involves software and hardware restrictions to prevent unauthorized access. This includes measures like passwords, smart cards, and firewalls.
• Physical access control involves physical barriers like video cameras, gates, and locks to limit access to certain areas. While all three categories are important, we will primarily focus on the technical perspective.

Some Broken Access Control Examples!!

• Insecure ID’s : In databases, we often use unique IDs to search for specific data. These IDs are commonly included in the URL to indicate what information the user wants. For example, if I am logged in to a website and my user ID is 1337, my profile page URL will look like this: https://example.com/profile?id=1337. However, if the web server is not properly configured, someone could replace the ID with another user’s ID and access their sensitive data. This is an example of relying on secrecy for security, which is not considered a good practice. Instead, it is recommended to implement proper access control on the server to ensure that unauthorized users cannot access sensitive data.
• Forced Browsing : In most of the cases, it refers to the act of a user attempting to access resources that are not explicitly linked or referenced within an application. An example of this could be a web application that has an admin page, but does not provide any visible links to it on other parts of the website, e.g., visit https://example.com/admin. However, if a user manually enters the URL for the admin page, they may be able to access it if there are vulnerabilities in the access control system.
• Directory Traversal : When a website has different files stored, the server may expect a specific file name as a request parameter. For example, if there is a web application for reading short novels, the URL might include the file name in the query parameter, the URL might look like this: https://example.com/novels?file=novel5.txt. The server will then search for this file in a designated folder where all the novels are stored. However, this behavior can be exploited by attackers. They can manipulate the file parameter in the URL to navigate to directories outside the intended folder, eventually gaining access to sensitive files. An attacker could abuse this behavior, for example, by visiting the URL https://example.com/novels?file=../../../../../../etc/passwd .The repeated pattern of ../-s will eventually reach the root directory, and the attacker can access any file from there To prevent this, web servers should be configured to limit access to files they do not need. Another solution is to filter out any occurrences of “..” in the input parameter.
• Client side caching: Browsers keep a record of websites in their cache to speed up loading times when users revisit those sites. However, this can pose a security risk in shared computer environments like libraries or internet cafés. To protect sensitive data, developers can use HTML meta tags to stop browsers from storing it in the cache.

Impacts And Risk Of Broken Access Controls

If in an organization the access controls are not implemented properly or maintained then the most common problem is the data breaches. As the attacker can gain access to sensitive data, so this data can be maliciously used for fraud, theft and can be sold over dark web.

Furthermore, data breaches have the potential to harm an organization’s image and result in financial setbacks. If an organization’s access controls are not in compliance with regulatory requirements, they may face penalties or fines. Broken access controls can result in operational disruptions, as attackers can potentially disable or harm critical systems, causing extensive downtime and financial loss.

This can include copyrighted material, explicit or inappropriate content, or any other content that is deemed illegal or unethical to access or share. After gaining unauthorized access, attackers usually search the website for ways to increase their privileges.

During this process, they may access sensitive data belonging to both the system and its users, which can be obtained through illegal means such as the black market. If the attack is successful, the hacker can view, alter, or erase this sensitive data, causing harm to the company’s reputation, system performance, and availability.

Hackers take advantage of access vulnerabilities to gain privileged access to protected resources and services. Their main goal is to gain control over user accounts and potentially steal data or cause harm to the application hosting system.

Distributed Denial of Service (DDoS) refers to a type of cyber attack where multiple compromised devices are used to overwhelm a target system or network, causing it to become unavailable to legitimate users. Attackers can cause a system to crash by using multiple user accounts to send numerous requests.

They can also make the application inaccessible to authorized users by sending harmful content. Organizations face various risks if access controls are not correctly implemented or maintained. One of the major risks is data breaches, which can lead to misuse of sensitive information and harm the organization’s reputation and finances.

One consequence of broken access controls is that organizations may violate compliance regulations, such as HIPAA or PCI DSS, which could result in fines or penalties.

Therefore, it is important for organizations to have proper access controls in place to meet these requirements. Broken access controls can cause operational disruptions by allowing attackers to gain access to critical systems, potentially resulting in damage or disabling of the systems, leading to significant financial loss and downtime.

Before Protecting System we should know How to break it and how it is developed Right??

In order to effectively protect a system, it is important to first understand how it can be compromised. Therefore, let’s examine what can potentially break access control. There are various ways servers control access to resources, such as session cookies and JWT tokens. Before executing a request, the system checks if the user has permission to access the requested resources.

This is done through GET calls and different HTTP methods. However, developers can easily overlook securing all endpoints with all possible methods, leading to potential vulnerabilities. Access control is compromised when unauthorized individuals are able to gain access to something they are not supposed to have access to.

This usually occurs when developers fail to secure authorization protocols. A common example is when endpoints on websites display a “403 forbidden” error, but this can be bypassed by adding a specific header. Another common example is when old directories from the development phase are not deleted or protected as they should have been. Less experienced users may store passwords in plain text on their systems, making it easier for hackers to access other systems if the main system is compromised.

Sometimes, people use weak passwords that can be easily cracked, allowing unauthorized access. This refers to the absence of deliberate attempts to breach access control, which is a separate issue altogether.

Vertical bypassing of authorization control/Vertical privilege escalation

Privilege escalation refers to the action of a user increasing their access rights to gain entry to data or functions that are typically restricted.

This can occur either by moving to a higher level of privileges within their current role or by obtaining the same level of privileges as another user.

Vertical privilege escalation is a significant security risk as it enables users to bypass security measures and gain unauthorized access to sensitive information or perform actions they are not supposed to.

An instance of this vulnerability could involve a user with limited database access increasing their privileges to the administrator level, granting them the ability to freely delete or alter data. Vertical privilege escalation can occur in a few ways.

One common way is when users have excessive privileges or when privileges are not properly controlled.

For instance, if a user is added to an administrator group but not removed when they leave the company, they will still have access to sensitive information. Another way is through privilege escalation exploits, where a user takes advantage of system vulnerabilities to gain higher privileges.

https://developers.certcube.com/contributor/dashboard

​​​​​​​https://developers.certcube.com/admin/dashboard

Horizontal bypassing of authorization control/Horizontal privilege escalation

Horizontal privilege escalation occurs when a user obtains unauthorized access to data or performs actions that are restricted to other users at the same security level. This can happen when two users have access to the same file, but one user is not allowed to view the other user’s data, resulting in a horizontal escalation of privileges for that user. Horizontal privilege escalation is considered more dangerous than vertical privilege escalation because it is harder to detect and stop. When a user tries to access unauthorized data, it is noticeable in vertical escalation, but in horizontal escalation, users can gain higher privileges without drawing attention. Horizontal privilege escalation is often achieved through “pass-the-hash” attacks, where a malicious individual gains access to another user’s password hash and uses it to log in as that user. This enables the attacker to access the user’s data without needing their password. Also known as IDOR (explained below).

Let’s Talk About the IDOR And A Real-Life BAC Example!!

Insecure Direct Object References (IDOR):

There are various methods that malicious individuals can use to access the main hard coding in a web application. Some parts of this code can provide information about the organization and structure of the database. Skilled hackers can exploit this information to gather even more data. When logging into a website and viewing its main page, you notice a URL in the address bar.

https://random.net/index.php/view?account=4100

This appears to be a lengthy list of accounts, and you are identified as number 4100 in the database. Initially, the situation may not seem concerning. However, a malicious individual can easily gain unauthorized access to other users’ accounts by entering a different account number. It is quite common for the administrator’s account(s) to be assigned the first 1-10 numbers.

https://random.net/index.php/view?account=1

The incorrect users may have the ability to access administrator accounts. . In this scenario, hackers are taking advantage of object references to exploit web applications. Many web apps have default page names based on the MVC setup, which allows hackers to potentially access the source code of these web applications.

The given address is for a website where all pages have a file extension of .htm.

https://webdevsagainsthackers.net/against/default.aspx?content=about_us.htm

The hackers know that the default.aspx.cs part is the main page and might want to investigate further.

Using a null byte (./) attack, they can trick the browser’s code into believing that the URL’s complete. The string following the null byte lets attackers reveal what’s inside any written-in file:

https://webdevsagainsthackers.net/against/default.aspx?content=%20./default.aspx.cs%00.htm

In this scenario, the hackers have managed to gain access to the entire source code of default.aspx.cs. This could potentially happen with any default page name. Direct object references can also be found in error codes. Hackers can manipulate entries to discover potential exceptions or errors and gather more information to search in the URL.

Real-Life BAC

The Below is the Example of Snapchat and Facebook Business Pages. This below would make an attacker as administrator of the page. As you can guess, with this newfound privilege, they could deny access to the actual administrators/managers of the page.

Request :-

POST //userpermissions HTTP/1.1
 
Host : graph.facebook.com

Content-Length: 245

role=MANAGER&user=&business=&access_token=



Response :-

true

Detection+Tools

Access control weaknesses are often found because automated detection is lacking and application developers do not perform adequate functional testing. Automated testing is not effective in identifying access control issues, so manual testing is the recommended method for identifying problems such as incorrect HTTP methods or improper object references.

Access control is like a set of rules that make sure people can only do certain things. If these rules are not followed, bad things can happen, like people seeing or changing things they shouldn’t, or doing things they’re not supposed to do. Some ways that these rules can be broken are by changing the website address or using special tools to cheat, or by pretending to be someone else or a more important person. Other ways include bypassing access control checks by modifying the URL, internal application state, or the HTML page, or simply using a custom API attack tool., or getting into parts of the website that are supposed to be private. It’s also possible to access certain parts of the website even if you’re not allowed to, or to do things with the website that you’re not supposed to do.

Elevation of privilege. Acting as a user without being logged in, or acting as an admin when logged in as a user.

Metadata manipulation, such as replaying or tampering with a JSON Web Token (JWT) access control token or a cookie or hidden field manipulated to elevate privileges, or abusing JWT invalidation.

Some Popular solution or tools for identifying Broken Access Control are:-

• Crashtest Security Suite
• HDiv
• Immuniweb Discovery
• PortSwigger/Burp Suite
• Acunetix

Permissions Control Methods/Methods of access control

These are the general methods for implementing logical access control in a software system: 

Discretionary access control (DAC)

Discretionary access control is a system where the owner of data has control over who can access their resources. Users have full control over their own objects and attributes in this type of access control. Access to objects can be limited based on the identity of the user trying to access them. Operating systems typically use attributes like read, write, and execute to determine the permissions given to each user for a protected object.

In Linux systems, there are three permissions – read, write, and execute – that are assigned to files and directories. These permissions are granted by the root user to both the group and other users. This type of access control is known as DAC, where access to resources is determined by the user’s identity and the permissions they have been given. For instance, a user with read-only permissions can only view a file and cannot make any changes to it.

Role-based access control (RBAC)

In a complex system with multiple users and functions, discretionary access restrictions are not detailed enough to allow for clear and organized divisions. For example, human resources personnel should not have the ability to create network accounts. In this scenario, granting rights based on job roles instead of specific users or groups allows for more flexibility. For example, RBAC allows access based on job titles. RBAC greatly reduces the level of discretion required when giving access to objects. RBAC is a commonly used access control system in large organizations, where a user’s access to resources is determined by their role within the organization. The Lightweight Directory Access Protocol (LDAP) is a modern solution for implementing RBAC, and options like Red Hat Directory Server, OpenLDAP, and FreeIPA provide affordable and open source LDAP solutions.

Managed access control (MAC)

Managed access control (MAC) is not as commonly used as DAC but is frequently employed in high-security settings. MAC determines resource access based on resource classification, meaning that only users authorized to access resources of a certain classification can do so. In MAC, a central authority manages access permissions, providing added security for access and privilege management. MAC applies tags to system components and checks them against predetermined access control policies to determine if an operation should be allowed, regardless of other security restrictions. Modern Linux systems, such as Red Hat Enterprise Linux and Fedora, have implemented SELinux to offer Mandatory Access Control (MAC).

Permission Based Access Control (PBAC)

PBAC is a security measure that limits access to certain areas or resources based on a user’s permissions, preventing privilege escalation. Essentially, users can only access what they have been explicitly allowed to access.

How to prevent!!!

To ensure that access control is effective, it is important to implement trusted server-side code or server-less API to enforce it. This will help prevent hackers from tampering with the access control check or metadata.

In addition to that, you can take the following measures to avoid broken access control.

• Ensure that permissions are accurate by thoroughly checking each file.
• Follow the principle of least privilege, allowing only necessary individuals to edit specific files.
• Disable client-side caching on restricted pages to prevent unauthorized access.
• Avoid relying on hidden access control mechanisms, as they can be easily discovered by skilled attackers. Instead, protect sensitive pages with authentication.
• Even if there is no obvious button for users to access restricted pages, attackers can still find them. Relying on hiding the pages is not effective against skilled hackers. It is better to secure sensitive pages with authentication.
• By default, deny access to all functions, making it easier to manage permissions.
• Utilize access control lists and role-based authentication practices.
• Avoid giving meaningful names to target pages, as it aids intruders in identifying them. Instead, use key-value pairs referencing the objects.

It is not enough to just hide information to control access. Unless a resource is meant to be accessible to everyone, access should be denied by default. It is best to use one method throughout the application to enforce access controls. Developers should be required to specify the allowed access for each resource, and access should be denied by default. It is important to thoroughly check and test access controls to ensure they are functioning correctly.

For Developers

Let’s understand mitigation with coding examples.

Let’s look at how to ensure proper access control in a sample program. The example in this article is written in the Go programming language, which lacks native solutions for this issue. Some other frameworks provide specialized methods for implementing strong access control.

The following Go framework takes some action for users who have been authenticated. The code submits the user ID to a service named​​​​​​​ authenticationMiddleware to guarantee that only authorized users trigger ActionHandler:

e := echo.New()

e.POST("/action/:id", ActionHandler, authenticationMiddleware)

This access check might not be sufficient. Correct authorization must be maintained wherever the program provides access to resources to prevent a bypass. For instance, suppose the ActionHandler method invoked by the program offers access to a sensitive resource:

func ActionHandler(c echo.Context) error {

    id := c.Param("Id")

    resource := getResourceBy("Id")

    resource.Action()

    return c.String(http.StatusOK, "OK")

}

Developers of ActionHandler must make sure that access control checks are carried out before granting access:

func ActionHandler(c echo.Context) error {

    id := c.Param("id")

    resource := getResourceBy("id")

    if resource.Owner() != getOwnerFromContext(c) {

        return c.String(http.StatusUnauthorized, "User is not Authorized for this Action.")

    }

    resource.Action()

    return c.String(http.StatusOK, "OK")

}

Autorize

Burp Suite Extension tutorial

This is a tutorial on a Burp Suite Extension called Autorize, which helps with access control testing in application endpoints. The extension replicates requests with different sessions and also an unauthenticated session to check if the application is enforcing proper access controls. While it may still need human intelligence in some cases, it is a useful tool.

To set up this extension, you first need to go to the Autorize tab(1), on the right side of the screen and insert your low privileged user authorization token header in the text box that says “Insert injected header here”(2), then select your options above the mentioned text box(3) you can also intercept and change repeater requests in this checkbox. Make sure you have intercepted off in your burp and click the Autorize is off(4) button to turn it on and then start browsing the website.

The image below demonstrates the functioning of Autorize. If the image is green, it means the access control mechanism is functioning properly. If it is red, it indicates a vulnerability in the access control. If the image is yellow, it means Autorize cannot determine if there is a vulnerability or not. In this situation, you can set up a detector for lower privileged users and another for unauthenticated requests. Autorize will utilize these filters to make a more accurate assessment.

To learn more about autorize .Find it here .

References:-

• https://qawerk.com/blog/broken-access-control/
• https://avatao.com/blog-broken-access-control/
• https://developers.redhat.com/articles/2022/12/08/how-prevent-broken-access-control#examples_of_broken_access_control
• https://www.polar.security/post/a-step-by-step-guide-to-broken-access-control-attacks
• https://www.eccouncil.org/cybersecurity-exchange/web-application-hacking/broken-access-control-vulnerability/
• https://medium.com/stolabs/what-are-access-control-vulnerabilities-and-how-to-find-them-241cecf3a609

Read our Previous Blogs.

If you enjoyed this blog post, share it with your friends and colleagues!!