WEBVTT 00:00:00.000 --> 00:00:07.920 align:middle line:90% 00:00:07.920 --> 00:00:10.680 align:middle line:84% Welcome to the third and last part of Broken Access Control 00:00:10.680 --> 00:00:12.090 align:middle line:90% session. 00:00:12.090 --> 00:00:14.790 align:middle line:84% In this part, we will discuss broken access control 00:00:14.790 --> 00:00:16.320 align:middle line:90% mitigation. 00:00:16.320 --> 00:00:17.970 align:middle line:84% We will start discussing what makes 00:00:17.970 --> 00:00:19.800 align:middle line:84% an application vulnerable, and then we 00:00:19.800 --> 00:00:23.160 align:middle line:84% will hunt OWASP Juice Shop vulnerable source code. 00:00:23.160 --> 00:00:25.680 align:middle line:84% Before closing this session, we will discuss how 00:00:25.680 --> 00:00:27.990 align:middle line:90% to avoid such vulnerabilities. 00:00:27.990 --> 00:00:30.990 align:middle line:84% In our target application, managing customer feedback 00:00:30.990 --> 00:00:33.780 align:middle line:84% are actions reserved to administrators. 00:00:33.780 --> 00:00:36.330 align:middle line:84% We saw that directly requesting specific routes 00:00:36.330 --> 00:00:39.060 align:middle line:84% or manipulating data to be verb, we could 00:00:39.060 --> 00:00:41.040 align:middle line:90% execute those same actions. 00:00:41.040 --> 00:00:44.340 align:middle line:84% Some applications address that because addresses to access 00:00:44.340 --> 00:00:46.620 align:middle line:90% specific pages are not known. 00:00:46.620 --> 00:00:49.740 align:middle line:84% They are reserved to those who knows the URL. 00:00:49.740 --> 00:00:52.560 align:middle line:84% Security through obscurity is a misconception, 00:00:52.560 --> 00:00:55.050 align:middle line:84% and there are plenty of word lists and automatic tools 00:00:55.050 --> 00:00:58.830 align:middle line:84% to help uncovering such hidden addresses. 00:00:58.830 --> 00:01:02.130 align:middle line:84% Misconfigured cross origin resource sharing policies 00:01:02.130 --> 00:01:06.030 align:middle line:84% may allow access to resources from unauthorized origins. 00:01:06.030 --> 00:01:08.130 align:middle line:84% In such situations, attackers who 00:01:08.130 --> 00:01:09.810 align:middle line:84% are able to drive victims to visit 00:01:09.810 --> 00:01:11.970 align:middle line:84% the website under their control will 00:01:11.970 --> 00:01:14.490 align:middle line:84% be able to interact with the application behind the scene 00:01:14.490 --> 00:01:17.030 align:middle line:90% and on victim's behalf. 00:01:17.030 --> 00:01:21.260 align:middle line:84% If untrusted data, just as well is from cookies or even fields, 00:01:21.260 --> 00:01:24.290 align:middle line:84% drive access control decisions, then the application 00:01:24.290 --> 00:01:26.660 align:middle line:90% is likely vulnerable. 00:01:26.660 --> 00:01:29.840 align:middle line:84% Let's review Juice Shop vulnerable source code. 00:01:29.840 --> 00:01:32.720 align:middle line:84% From project's page, we will jump to the GitHub repo. 00:01:32.720 --> 00:01:41.240 align:middle line:90% 00:01:41.240 --> 00:01:44.120 align:middle line:84% First, we want to see how the feedback's API endpoint is 00:01:44.120 --> 00:01:46.310 align:middle line:90% set up in the server.js file. 00:01:46.310 --> 00:02:10.110 align:middle line:90% 00:02:10.110 --> 00:02:12.740 align:middle line:84% Regardless, the HTTP verb, when the request 00:02:12.740 --> 00:02:16.250 align:middle line:84% is made to the feedback's API endpoint with an identifier, 00:02:16.250 --> 00:02:20.600 align:middle line:84% the isAuthorized method of the Insecurity library is called. 00:02:20.600 --> 00:02:22.688 align:middle line:90% Let's check its implementation. 00:02:22.688 --> 00:03:12.360 align:middle line:90% 00:03:12.360 --> 00:03:14.340 align:middle line:84% isAuthorized is a simple function that 00:03:14.340 --> 00:03:16.590 align:middle line:90% calls the expressJWT function. 00:03:16.590 --> 00:03:27.330 align:middle line:90% 00:03:27.330 --> 00:03:31.990 align:middle line:84% The expressJWT function is provided by the npm expressJWT 00:03:31.990 --> 00:03:32.490 align:middle line:90% package. 00:03:32.490 --> 00:04:00.370 align:middle line:90% 00:04:00.370 --> 00:04:03.250 align:middle line:84% According to the documentation, this package 00:04:03.250 --> 00:04:06.370 align:middle line:84% does nothing else than validate the JSON web token. 00:04:06.370 --> 00:04:08.440 align:middle line:84% No ownership validation is performed 00:04:08.440 --> 00:04:11.050 align:middle line:84% upon the requested resources, and this 00:04:11.050 --> 00:04:13.360 align:middle line:84% is why we were able to access and delete 00:04:13.360 --> 00:04:14.365 align:middle line:90% other users feedback. 00:04:14.365 --> 00:04:17.550 align:middle line:90% 00:04:17.550 --> 00:04:20.730 align:middle line:84% Let's see if there's something else in the server.js file. 00:04:20.730 --> 00:05:01.720 align:middle line:90% 00:05:01.720 --> 00:05:05.500 align:middle line:84% Requests to create, retrieve, and delete feedback records 00:05:05.500 --> 00:05:08.380 align:middle line:84% are passed directly to the Feedback model. 00:05:08.380 --> 00:05:10.196 align:middle line:90% Let's see its implementation. 00:05:10.196 --> 00:05:39.980 align:middle line:90% 00:05:39.980 --> 00:05:42.620 align:middle line:84% The implementation has no additional access control 00:05:42.620 --> 00:05:43.430 align:middle line:90% validations. 00:05:43.430 --> 00:05:48.820 align:middle line:90% 00:05:48.820 --> 00:05:51.160 align:middle line:84% Let's discuss how to prevent this type of loss. 00:05:51.160 --> 00:05:53.950 align:middle line:90% 00:05:53.950 --> 00:05:57.240 align:middle line:84% You should always follow the principle of least privilege. 00:05:57.240 --> 00:06:00.450 align:middle line:84% In particular, abstraction layer of a computing environment, 00:06:00.450 --> 00:06:03.060 align:middle line:84% every module, such as a user, must 00:06:03.060 --> 00:06:05.880 align:middle line:84% be able to access only the information and resources 00:06:05.880 --> 00:06:08.880 align:middle line:84% that are necessary for its legitimate purpose. 00:06:08.880 --> 00:06:13.060 align:middle line:84% Deny access by default except for public resources. 00:06:13.060 --> 00:06:16.080 align:middle line:84% Building and using a centralized access control mechanism 00:06:16.080 --> 00:06:19.530 align:middle line:84% will make your life easier not only managing privileges, 00:06:19.530 --> 00:06:22.515 align:middle line:84% but also discovering and fixing bugs. 00:06:22.515 --> 00:06:25.560 align:middle line:84% Log access control failures with enough details 00:06:25.560 --> 00:06:27.660 align:middle line:84% and alert the administrators so that they 00:06:27.660 --> 00:06:30.800 align:middle line:84% can act in a timely fashion when required. 00:06:30.800 --> 00:06:33.360 align:middle line:84% Implement rate limiting to minimize the amount of data 00:06:33.360 --> 00:06:36.960 align:middle line:84% exposed by a single endpoint in case of a broken access control 00:06:36.960 --> 00:06:38.370 align:middle line:90% issue. 00:06:38.370 --> 00:06:40.440 align:middle line:84% In our next session, we will discuss 00:06:40.440 --> 00:06:42.730 align:middle line:90% security misconfiguration. 00:06:42.730 --> 00:06:45.360 align:middle line:84% Until then, take your time to carefully read 00:06:45.360 --> 00:06:49.230 align:middle line:84% the Broken Access Control section of OWASP Top 10. 00:06:49.230 --> 00:06:51.000 align:middle line:90%