2. What’s the concept
about?
Privileges are loosely
assigned, allowing users or
processes more privileges
than they actually require.
What could happen?
Users could execute actions which they
shouldn’t be able to execute as part of
their normal operations. Malicious
software run by accident by a user will
execute with same permissions as that
user.
How to implement it?
Assign all users or processes
the least amount of privileges
that is required for them to
perform the actions they
should be able to perform.
3. Least Privilege
Understanding the concept
An application uses a
back-end database to
store data.
The application makes
use of a read-only DB
user for its data
retrieving queries.
Because the DB user has
no write permissions, the
attacker will not be able
to alter data on the DB
which will make
exploitation harder.
This application has a security
weakness resulting in the
attacker to try and manipulate
DB queries using SQL injection.
Search:
Read-only DB user
User: John
http://site.com/users?id=95; truncate table users
Johns details
ACCESS DENIED!
http://site.com/users?id=95
select info from users where userid = 95; truncate table users;
connect to db with read only user;
select info from users where userid = 95;
Web application
4. Least Privilege
What could happen with the concept?
This time, the
application makes use
of a DB user with read-
write permissions.
An attacker tries to
manipulate back-end
queries using SQL injection.
Because of the missing
tables, the application
becomes unusable.
Because the DB user has write
permissions, the attacker is able
to drop tables of his choosing.
Search:
User: John
http://site.com/users?id=95; truncate table users
table truncated!
DB user with
read-write permissions
connect to db with read-write user;
select info from users where userid = 95; truncate table users;
Web application
5. Least Privilege
What could happen with the concept?
This time, the
application makes use
of a DB user who has an
administrator role.
An attacker tries to
manipulate back-end
queries using SQL injection.
The DB user names and
password hashes are retrieved.
Admin DB commands like
shutdown commands could
also be executed.
Because the DB user has
an admin role, the
attacker is able to access
administrator tables.
DB user with
admin & read-write permissions
connect to db with admin_role_user;
select fname, lname from users where userid = 95
union select usr, pwd from user_table;
http://site.com/users?id=95 union select usr, pwd from user_table
User Password
John 996a7d40ca944dd0fc5
admin c0ce0dff9996a7d40c1e
Bart c6a7d40c1e96a944dd0
Web application
6. Least Privilege
Typical controls
Processes spawned by an application should execute with the
least privilege to get the job done and no more.
Application users should have as little privileges as possible,
while still allowing them to perform their business processes.
Implement role-based access controls.
Deny by default; allow on a case-by-case basis.
Although the “Least Privilege” concept will not stop application
security weaknesses (code injections, …) it will make it much
harder for an attacker to further exploit those weaknesses.