Understanding Flawed User Access Controls and Privilege Escalation: Part 1 - Andmp | A blog about infosec, bug hunting and more!

A blog about infosec, bug hunting, education and a plethora of other things...



Post Top Ad

Tuesday, 21 August 2018

Understanding Flawed User Access Controls and Privilege Escalation: Part 1

Brief Overview -

Owasp considers that, Privilege Escalation and Access Control based security bugs still have the potential to ruthlessly destroy your application. Be it a saboteur who's eyeing at your Insider information, as for example a moderator of an ecommerce forum gains access to its customer database via flawed user controls leading to "Vertical Escalation" since that role should have been only assigned to the user with the "Administrator" permission set.
Similarly, there are a plethora of real-world cases in which authentication though might have been taken seriously but security beyond authentication was taken for granted and left obfuscated. So an SQLi isn't really the sole challenge you are going to face beyond deployment, there are various other bugs one might not have ever thought about.
So that was a quick run down of what I have written and the purpose that's been behind it. I have in course of my research found a handful of sites which never took User Access Controls seriously and so would they - never. The prime motivation behind this serious of articles would be to break the common myths and assumptions developers have in mind about the Security of their applications and how they often go amiss and fail to secure their apps on the battleground (the production app).

About this Series of Articles

These series of articles would be focussed on real-world testing of privilege escalation and user access controls. Overall, one should have a clear vision of these attacks by the end of this series and how to avoid circumvention of hitherto security checks as well as prevention of this attack on their applications.

Technical Glance 

Practical examples from my tests conducted on apps of different big organizations will be provided in next part(s) of this article as well.  
I will cover some bugs like User id manipulation, extrapolation, IDOR and more.
Keep in mind the idea of analysing "Anti-Forensic" strategies while delving deeper into "APTs" or in the industry's language "Advanced Persistent Threat".

What are Access Controls and Privilege Escalation?

The property that governs users and their actions. Simply put access controls are used to exercise controls on user actions depending on their roles and their powers.

As an analogy, we can think of a WordPress blog application, where there are specific levels of authorities or roles of an administrator and that of a moderator. Assuming the whole set of administrative authorities/roles to be a superset "S" which can be attributed to being the WordPress administrator's role set, now the moderator's access controls or roles forms a subset, let's say "M", of the administrative superset "S". Now, let's suppose we don't clearly define these set of roles, different problems would arise. An administrator, for example, is able to assign different user roles as well as changing site theme and appearance, and also do other major tasks which can be disastrous to the business if that user, moderator turns out to be a rouge one and takes advantage of the flawed user access controls to gain Privilege Escalation and perform malicious action in the application's context. Also, in the case of forums and other social platforms built on the WordPress CMS or any other custom CMS/Framework, the risk becomes higher.

Coming back to privilege escalation

Owasp's definition of privilege escalation stands at -
Privilege escalation occurs when a user gets access to more resources or functionality than they are normally allowed, and such elevation or changes should have been prevented by the application. This is usually caused by a flaw in the application. The result is that the application performs actions with more privileges than those intended by the developer or system administrator.
Well, this gets us an idea of how Privilege Escalation looks like. So this clears up the concept of "Lateral Escalation","Vertical Escalation" and "Horizontal Escalation". If not then you must wait for the next set of articles which should explain these ideas in depth.

Keep an eye on the Upcoming Series of the Articles which will include

  1. More about lateral, vertical and horizontal privilege escalation
  2. Testing for specific scenarios within your application like user group manipulation for example
  3. Real world examples from private and public sources on these attacks at work when exploited on sufficiently big organizations like Facebook along with special focus on API-based Security testing and privilege escalation bugs that have appeared in large-scale APIs

No comments:

Post a Comment

Let me know what you felt after reading the article!

Post Bottom Ad