WEBVTT 00:00:00.000 --> 00:00:06.980 align:middle line:90% 00:00:06.980 --> 00:00:09.710 align:middle line:84% Welcome to Broken Access Control session. 00:00:09.710 --> 00:00:13.130 align:middle line:84% In this first part, we will focus on threat analysis. 00:00:13.130 --> 00:00:15.460 align:middle line:84% We will take our time to dig into access control flaws 00:00:15.460 --> 00:00:17.720 align:middle line:84% details, and then we will discuss 00:00:17.720 --> 00:00:19.760 align:middle line:84% how the system can be harmed, the impact 00:00:19.760 --> 00:00:21.950 align:middle line:84% of successful exploitation, and give you 00:00:21.950 --> 00:00:25.880 align:middle line:84% some insights to identify who may want to harm your system. 00:00:25.880 --> 00:00:27.800 align:middle line:84% Authentication and access control 00:00:27.800 --> 00:00:30.140 align:middle line:84% are often combined into a single operation, 00:00:30.140 --> 00:00:32.270 align:middle line:84% causing a serious misunderstanding regarding 00:00:32.270 --> 00:00:34.070 align:middle line:90% controls boundaries. 00:00:34.070 --> 00:00:36.920 align:middle line:84% We have already discussed authentication flaws. 00:00:36.920 --> 00:00:40.520 align:middle line:84% In this session, we will just focus on authorization, whereby 00:00:40.520 --> 00:00:43.310 align:middle line:84% the system makes a decision to grant or reject access 00:00:43.310 --> 00:00:45.230 align:middle line:84% to requested resources from an already 00:00:45.230 --> 00:00:49.720 align:middle line:84% authenticated user based on what the user is authorized to do. 00:00:49.720 --> 00:00:53.210 align:middle line:84% Anonymous users are also subject of access control. 00:00:53.210 --> 00:00:55.910 align:middle line:84% Although the system is not able to check their identity, 00:00:55.910 --> 00:00:58.070 align:middle line:84% authorization checks should be performed 00:00:58.070 --> 00:01:02.450 align:middle line:84% just like for any other user or user rule. 00:01:02.450 --> 00:01:04.879 align:middle line:84% To make sure that there is no doubt, 00:01:04.879 --> 00:01:09.100 align:middle line:84% authorization and authentication are two different things. 00:01:09.100 --> 00:01:11.200 align:middle line:84% There are several access control models, 00:01:11.200 --> 00:01:14.440 align:middle line:84% but role based access control is the most common one in web 00:01:14.440 --> 00:01:17.740 align:middle line:84% applications since it addresses most commercial and government 00:01:17.740 --> 00:01:19.870 align:middle line:90% organizations' needs. 00:01:19.870 --> 00:01:22.360 align:middle line:84% Role based access control is defined around roles-- 00:01:22.360 --> 00:01:25.270 align:middle line:84% such as anonymous user, customer, or admin-- 00:01:25.270 --> 00:01:27.940 align:middle line:84% and privileges, or what they can do-- 00:01:27.940 --> 00:01:30.460 align:middle line:84% read, write, update, or delete some resource 00:01:30.460 --> 00:01:32.600 align:middle line:90% or execute some function. 00:01:32.600 --> 00:01:34.270 align:middle line:84% This may sound simple, but it tends 00:01:34.270 --> 00:01:36.250 align:middle line:84% to become complex when we start adding 00:01:36.250 --> 00:01:39.220 align:middle line:84% roles hierarchy or fine-grained privileges. 00:01:39.220 --> 00:01:41.680 align:middle line:84% Better than showing complex data flow diagrams, 00:01:41.680 --> 00:01:43.840 align:middle line:84% we will exploit different authorization niches 00:01:43.840 --> 00:01:46.540 align:middle line:84% in our intentionally vulnerable application. 00:01:46.540 --> 00:01:49.180 align:middle line:84% Access control mechanisms of all applications 00:01:49.180 --> 00:01:51.580 align:middle line:84% left running in public accessible 00:01:51.580 --> 00:01:56.230 align:middle line:84% tend to be broken or outdated, thus easier to exploit. 00:01:56.230 --> 00:01:58.090 align:middle line:84% Some applications rely on obscurity 00:01:58.090 --> 00:02:01.210 align:middle line:84% to hide administrative end points from regular users, 00:02:01.210 --> 00:02:04.180 align:middle line:84% assuming that only admins know the address. 00:02:04.180 --> 00:02:07.360 align:middle line:84% Some guesswork and available wordlists and automatic tools 00:02:07.360 --> 00:02:09.789 align:middle line:84% are enough to uncover such endpoints. 00:02:09.789 --> 00:02:11.500 align:middle line:84% Parameter pollution is a technique 00:02:11.500 --> 00:02:13.810 align:middle line:84% that may allow attackers to bypass access control 00:02:13.810 --> 00:02:15.700 align:middle line:84% mechanisms just by playing around 00:02:15.700 --> 00:02:18.220 align:middle line:84% with URL query string parameters, cookies, 00:02:18.220 --> 00:02:20.360 align:middle line:90% or request body. 00:02:20.360 --> 00:02:22.610 align:middle line:84% Some business logic requires actions to be 00:02:22.610 --> 00:02:24.680 align:middle line:90% performed in a certain order. 00:02:24.680 --> 00:02:27.800 align:middle line:84% Since it should be stateless, then it is up to the backends 00:02:27.800 --> 00:02:30.740 align:middle line:84% to track whether those actions are performed in the required 00:02:30.740 --> 00:02:31.670 align:middle line:90% order. 00:02:31.670 --> 00:02:34.280 align:middle line:84% Messing with actions order may trick the access control 00:02:34.280 --> 00:02:35.640 align:middle line:90% mechanism. 00:02:35.640 --> 00:02:37.920 align:middle line:84% Accessing other users data may expose 00:02:37.920 --> 00:02:42.120 align:middle line:84% sensitive data, such as PII and financial or health records. 00:02:42.120 --> 00:02:43.860 align:middle line:84% Compromising admin level functions 00:02:43.860 --> 00:02:46.980 align:middle line:90% may expose all user data. 00:02:46.980 --> 00:02:49.500 align:middle line:84% If privileged levels do not distinguish 00:02:49.500 --> 00:02:53.100 align:middle line:84% users who can only view data, and those who can modify it, 00:02:53.100 --> 00:02:56.200 align:middle line:84% then attackers may be able to modify other users' data, 00:02:56.200 --> 00:02:59.010 align:middle line:84% creating some sort of inconsistency or severe data 00:02:59.010 --> 00:03:00.570 align:middle line:90% loss. 00:03:00.570 --> 00:03:03.420 align:middle line:84% Sometimes, attackers manage to execute actions 00:03:03.420 --> 00:03:06.900 align:middle line:84% as other users or even higher level functions. 00:03:06.900 --> 00:03:09.600 align:middle line:84% If the system fails to distinguish malicious activity 00:03:09.600 --> 00:03:11.700 align:middle line:84% from legit one, then attackers will 00:03:11.700 --> 00:03:14.490 align:middle line:84% be able to perpetrate all sorts of fraud. 00:03:14.490 --> 00:03:17.250 align:middle line:84% As with several other flaws we have already discussed, 00:03:17.250 --> 00:03:20.370 align:middle line:84% access control ones not only allow attackers to access data, 00:03:20.370 --> 00:03:23.280 align:middle line:84% but also execute actions on users behalf. 00:03:23.280 --> 00:03:25.680 align:middle line:84% Just considering the confidential or sensitive data 00:03:25.680 --> 00:03:29.190 align:middle line:84% exposure issue, you should think about who, individuals 00:03:29.190 --> 00:03:31.890 align:middle line:84% or organizations, may benefit from accessing 00:03:31.890 --> 00:03:33.090 align:middle line:90% your users' data. 00:03:33.090 --> 00:03:37.500 align:middle line:84% Nation state, competitors, or activists may be among them. 00:03:37.500 --> 00:03:40.110 align:middle line:84% The ability to execute actions on users' behalf 00:03:40.110 --> 00:03:42.240 align:middle line:90% is attractive to fraudsters. 00:03:42.240 --> 00:03:44.850 align:middle line:84% Depending on what administrative functionalities your system 00:03:44.850 --> 00:03:48.420 align:middle line:84% has, malicious actors may be able to hijack the whole system 00:03:48.420 --> 00:03:50.400 align:middle line:84% or take advantage of it to perpetrate 00:03:50.400 --> 00:03:53.490 align:middle line:84% other attacks against other systems of yours or even 00:03:53.490 --> 00:03:56.490 align:middle line:90% third party ones. 00:03:56.490 --> 00:03:59.040 align:middle line:84% You'll find this table in the OWASP Top 10. 00:03:59.040 --> 00:04:03.020 align:middle line:84% Pause the video and take your time to carefully read it. 00:04:03.020 --> 00:04:05.670 align:middle line:84% In the next part, we will exploit several access control 00:04:05.670 --> 00:04:08.060 align:middle line:84% flaws in order to access some sensitive data 00:04:08.060 --> 00:04:11.110 align:middle line:84% and execute administrative functions. 00:04:11.110 --> 00:04:12.000 align:middle line:90%