SlideShare a Scribd company logo

A7 Missing Function Level Access Control

Download as PPTX, PDF
S
stevil1224

Topic A7 from the OWASP Top 10 Web Vulnerabilities from 2013

Data & Analytics
1 of 20
OWASP Top 10 - 2013 Topics A7: Missing Function Level Access Control IT 6873 – INFORMATION SECURITY SEMINAR FALL 2014 Steven Green
AGENDA AND OVERVIEW • Introduction to topic A7: Missing Function Level Access Control • Explanation of Missing Function Level Access Control & Authorization • How this Vulnerability Occurs • Ease of Attack • Examples of Attacks • Are you Vulnerable? How to know… • Defenses to this Vulnerability
OWASP TOP 10 – 2013 (Open Web Application Security Project) • Lists Top 10 Web Application Security Risks • A7 – Missing Function Level Access Control
2013 OWASP Top 10 vs. 2010 OWASP Top 10 In 2010, topic was known as: Failure to Restrict URL Access In 2013, topic now known as: Missing Function Level Access Control
What is MISSING FUNCTION LEVEL ACCESS CONTROL?? • Any user with Network Access can send requests to the server… • http://www.example.com • http://www.example.com/app=page0 • An Attacker can simply change the URL or parameter to reach unauthorized functionality… • http://www.example.com/admin=cntrl
What is MISSING FUNCTION LEVEL ACCESS CONTROL?? (cont.) • That grants them access to privileged functions!! • Without proper verification of rights, you get MISSING Function Level Access Control!
AUTHORIZATION • Authorization – Ensures that the authenticated user has the appropriate privileges to view/control resources (i.e. ACCESS) I. Only authorized users can perform certain actions II. Control access to protected resources III. Prevent privilege escalation attacks
AUTHORIZATION (cont.) Breakdown In or Missing Function Misconfigured Authorization Level Access Control
HOW DOES THIS OCCUR? • Applications do not always protect application functions properly… • This type of vulnerability results from insufficient protection of sensitive request handlers within an application • Application may simple hide access to sensitive actions • Fail to enforce sufficient authorization for some actions • Expose actions through a user-controlled request parameter
COMMON ACCESS CONTROL ISSUES: • All or Nothing approach – all users have equal privileges • Security by Obscurity – relying on security by simply hiding the path and hoping it’s not found • Shared Accounts – make it difficult to figure out if administrator is malicious or an honest administrator • Root – Web and application processes run as root • Authentication – Many admin. interfaces only require a password for authentication • Admin. Interfaces – not designed as secure as other user-level interfaces because admins are considered ‘trusted’
EASE OF ATTACKS UPON APPLICATIONS • According to the OWASP scale of Exploitability, this is a very easy vulnerability for an attacker to perpetrate • SIMPLY GUESSING AT THE URL CAN YIELD RESULTS
COMMON ATTACKS ON ACCESS CONTROL: • Vertical Access Control – Standard User accessing Admin functionality • Horizontal Access Control – User has same role as another user, accesses their private data • Business Login Access Control – Abuse of linked activities that collectively realize a business objective
ATTACK EXAMPLES • Example 1: Force-Browsing the URL • You go to a site and notice the URL: http://randomsite.com • You click a link or application and see this URL: http://randomsite.com/app/getappinfo • Now, you simply add a parameter to see if the page exists. If so, you now have administrator access to the application: http://randomsite.com/app/admin_getappinfo ADMINISTRATOR ACCESS HAS BEEN ACHIEVED!
ATTACK EXAMPLES (cont.) • Example 2: Horizontal Access Attack • User goes to a site, logs in to confirm authorization to site resources: http://www.examplesite.com/app2/userID=21775 (Notice, userID is provided in the URL) • User changes the ‘userID’ to that of another user. http://www.examplesite.com/app2/userID=45185 • If proper authorization procedures are not in place, the user now has the ability to login as other users simply by changing the userID ALL USER DATA HAS NOW BEEN COMPROMISED!!
ARE YOU VULNERABLE? • Several methods to determine if your site is vulnerable to this type of attack: 1. Attempt to access administrative components as a regular user 2. Using a proxy, browse applications as administrator and then try to access the restricted pages as a regular user 3. Determine how administrators are authenticated in the application and ensure proper procedures are enforced. 4. Use of automated tools such as DotDotPwn or Nikto2
PREVENTING ATTACKS • Use an easy authorization module to invoke rules • Don’t hard code, ensure module can allow the admin. to update and audit roles easily • By default, DENY ACCESS! Provide access based on roles for every function • Ensure authorization is enforced in the controller or business logic • Avoid assigning permissions on a per-user basis • Log all failed attempts to access restricted locations and review periodically
SUMMARY • MISSING FUNCTION LEVEL ACCESS CONTROL ATTACKS are… • Easy to Perform • Easy to Prevent • Somewhat Easy to Detect • Potential Impact is pretty severe based upon what kinds of data are stored in the authorized areas
FOLLOW-UP DISCUSSION QUESTIONS • 1. Have you experienced this type of vulnerability ‘in the wild’? If so, please provide your example/experience and how it left you feeling knowing that it exists. • 2. The Common Weakness Enumeration website (www.cwe.mitre.org) provides a dictionary of the most common types of software weaknesses that have been found. Please find an attack relative to this topic and describe the attack and a detection method available to find this type of vulnerability. • 3. Path Traversal is a form of MISSING FUNCTION LEVEL ACCESS CONTROL. I mentioned one tool (DotDotPwn) used to detect these types of attacks. Can you find any additional tools that could be used? Provide a link and brief overview of your findings.
REFERENCES • https://www.owasp.org/index.php/Top_10_2013-About_OWASP • http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf • https://bounty.github.com/classifications/missing-function-level-access-control.html • https://www.owasp.org/index.php/Access_Control_Cheat_Sheet • https://www.owasp.org/index.php/Guide_to_Authorization#Best_Practices_in_Action
RESOURCE & READING LIST For more information regarding MFLAC, Authorization and other topics discussed, please review these other resources: • http://msdn.microsoft.com/en-us/library/vstudio/f13d73y6(v=vs.100).aspx • https://bounty.github.com/index.html#open-bounties • http://www.youtube.com/watch?v=phDfFNVCONo • https://www.youtube.com/watch?v=ggobmsuiL0c • https://www.owasp.org/index.php/Forced_browsing • https://www.owasp.org/index.php/OWASP_Testing_Project • https://www.cirt.net/Nikto2 • http://dotdotpwn.blogspot.com/ • https://www.owasp.org/index.php/Testing_Directory_traversal/file_include_(OTG-AUTHZ- 001) • http://www.darkreading.com/application-security/application-security-we-still-have-a-long- way-to-go/d/d-id/1005798

Recommended

OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...Lenur Dzhemiliev
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
OWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object ReferenceOWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object ReferenceNarudom Roongsiriwong, CISSP
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesMohammed Danish Amber
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
OWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITISOWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITISNull Bhubaneswar
 
The Security Code Review Guide
The Security Code Review GuideThe Security Code Review Guide
The Security Code Review GuideNicola Pietroluongo
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
 

Recommended

OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...Lenur Dzhemiliev
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
OWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object ReferenceOWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object ReferenceNarudom Roongsiriwong, CISSP
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesMohammed Danish Amber
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
OWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITISOWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITISNull Bhubaneswar
 
The Security Code Review Guide
The Security Code Review GuideThe Security Code Review Guide
The Security Code Review GuideNicola Pietroluongo
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
 
Application Security
Application SecurityApplication Security
Application Securityflorinc
 
Owasp zap
Owasp zapOwasp zap
Owasp zappenetration Tester
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
Broken access controls
Broken access controlsBroken access controls
Broken access controlsAkansha Kesharwani
 
OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017Michael Furman
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
Information security
Information securityInformation security
Information securityLusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101Narudom Roongsiriwong, CISSP
 
Detecting Phishing using Machine Learning
Detecting Phishing using Machine LearningDetecting Phishing using Machine Learning
Detecting Phishing using Machine Learningijtsrd
 
Security testing fundamentals
Security testing fundamentalsSecurity testing fundamentals
Security testing fundamentalsCygnet Infotech
 
Diffie-hellman algorithm
Diffie-hellman algorithmDiffie-hellman algorithm
Diffie-hellman algorithmComputer_ at_home
 
What is security testing and why it is so important?
What is security testing and why it is so important?What is security testing and why it is so important?
What is security testing and why it is so important?ONE BCG
 
Introducing java oop concepts
Introducing java oop conceptsIntroducing java oop concepts
Introducing java oop conceptsIvelin Yanev
 
PHP Security
PHP SecurityPHP Security
PHP SecurityMindfire Solutions
 
Cyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceCyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceTom K
 
Zed Attack Proxy (ZAP)
Zed Attack Proxy (ZAP)Zed Attack Proxy (ZAP)
Zed Attack Proxy (ZAP)JAINAM KAPADIYA
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with examplePrateek Chauhan
 
Broken access control
Broken access controlBroken access control
Broken access controlPriyanshu Gandhi
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?Michael Gough
 
A10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and ForwardsA10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and ForwardsShane Stanley
 
OWASP Top 10 (2010 release candidate 1)
OWASP Top 10 (2010 release candidate 1)OWASP Top 10 (2010 release candidate 1)
OWASP Top 10 (2010 release candidate 1)Jeremiah Grossman
 

More Related Content

What's hot

Application Security
Application SecurityApplication Security
Application Securityflorinc
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
Detecting Phishing using Machine Learning
Detecting Phishing using Machine LearningDetecting Phishing using Machine Learning
Detecting Phishing using Machine Learningijtsrd
 
Security testing fundamentals
Security testing fundamentalsSecurity testing fundamentals
Security testing fundamentalsCygnet Infotech
 
What is security testing and why it is so important?
What is security testing and why it is so important?What is security testing and why it is so important?
What is security testing and why it is so important?ONE BCG
 
Introducing java oop concepts
Introducing java oop conceptsIntroducing java oop concepts
Introducing java oop conceptsIvelin Yanev
 
Cyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceCyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceTom K
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with examplePrateek Chauhan
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?Michael Gough
 

What's hot (20)

Application Security
Application SecurityApplication Security
Application Security
 
Owasp zap
Owasp zapOwasp zap
Owasp zap
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
 
Broken access controls
Broken access controlsBroken access controls
Broken access controls
 
OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
Information security
Information securityInformation security
Information security
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
 
Detecting Phishing using Machine Learning
Detecting Phishing using Machine LearningDetecting Phishing using Machine Learning
Detecting Phishing using Machine Learning
 
Security testing fundamentals
Security testing fundamentalsSecurity testing fundamentals
Security testing fundamentals
 
Diffie-hellman algorithm
Diffie-hellman algorithmDiffie-hellman algorithm
Diffie-hellman algorithm
 
What is security testing and why it is so important?
What is security testing and why it is so important?What is security testing and why it is so important?
What is security testing and why it is so important?
 
Introducing java oop concepts
Introducing java oop conceptsIntroducing java oop concepts
Introducing java oop concepts
 
PHP Security
PHP SecurityPHP Security
PHP Security
 
Cyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceCyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General Audience
 
Zed Attack Proxy (ZAP)
Zed Attack Proxy (ZAP)Zed Attack Proxy (ZAP)
Zed Attack Proxy (ZAP)
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with example
 
Broken access control
Broken access controlBroken access control
Broken access control
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
 

Viewers also liked

A10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and ForwardsA10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and ForwardsShane Stanley
 
OWASP Top 10 (2010 release candidate 1)
OWASP Top 10 (2010 release candidate 1)OWASP Top 10 (2010 release candidate 1)
OWASP Top 10 (2010 release candidate 1)Jeremiah Grossman
 
Les menaces applicatives
Les menaces applicativesLes menaces applicatives
Les menaces applicativesBee_Ware
 
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo) Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo) Nitroxis Sprl
 
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App SecWhat the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App SecIBM Security
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration Tariq Islam
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
CA API Gateway: Web API and Application Security
CA API Gateway: Web API and Application SecurityCA API Gateway: Web API and Application Security
CA API Gateway: Web API and Application SecurityCA Technologies
 

Viewers also liked (9)

A10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and ForwardsA10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and Forwards
 
OWASP Top 10 (2010 release candidate 1)
OWASP Top 10 (2010 release candidate 1)OWASP Top 10 (2010 release candidate 1)
OWASP Top 10 (2010 release candidate 1)
 
owaspa4
owaspa4owaspa4
owaspa4
 
Les menaces applicatives
Les menaces applicativesLes menaces applicatives
Les menaces applicatives
 
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo) Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
 
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App SecWhat the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
CA API Gateway: Web API and Application Security
CA API Gateway: Web API and Application SecurityCA API Gateway: Web API and Application Security
CA API Gateway: Web API and Application Security
 

Similar to A7 Missing Function Level Access Control

Jonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdfJonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdfJonathan Singer
 
Vulnerabilidades en sitios web (english)
Vulnerabilidades en sitios web (english)Vulnerabilidades en sitios web (english)
Vulnerabilidades en sitios web (english)Miguel de la Cruz
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
Web application testing
Web application testing Web application testing
Web application testing Nora Alriyes
 
OWASP TOP 10 by Team xbios
OWASP TOP 10 by Team xbiosOWASP TOP 10 by Team xbios
OWASP TOP 10 by Team xbiosVi Vek
 
Security Testing In Application Authentication
Security Testing In Application AuthenticationSecurity Testing In Application Authentication
Security Testing In Application AuthenticationRapidValue
 
Owasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developerOwasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developerSameer Paradia
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
Web Security Overview
Web Security OverviewWeb Security Overview
Web Security OverviewNoah Jaehnert
 
VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxkarthikvcyber
 
Engineering Software Products: 7. security and privacy
Engineering Software Products: 7. security and privacyEngineering Software Products: 7. security and privacy
Engineering Software Products: 7. security and privacysoftware-engineering-book
 
2.1 Web Vulnerabilities.pptx
2.1 Web Vulnerabilities.pptx2.1 Web Vulnerabilities.pptx
2.1 Web Vulnerabilities.pptxMiteshVyas16
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyAditya Gupta
 
Principles for Secure Design and Software Security
Principles for Secure Design and Software Security Principles for Secure Design and Software Security
Principles for Secure Design and Software Security Mona Rajput
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With ExamplesAlwin Thayyil
 
Core defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applicationsCore defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applicationsKaran Nagrecha
 

Similar to A7 Missing Function Level Access Control (20)

Jonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdfJonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdf
 
apex security demo.ppsx
apex security demo.ppsxapex security demo.ppsx
apex security demo.ppsx
 
Vulnerabilidades en sitios web (english)
Vulnerabilidades en sitios web (english)Vulnerabilidades en sitios web (english)
Vulnerabilidades en sitios web (english)
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
Web application testing
Web application testing Web application testing
Web application testing
 
OWASP TOP 10 by Team xbios
OWASP TOP 10 by Team xbiosOWASP TOP 10 by Team xbios
OWASP TOP 10 by Team xbios
 
Security Testing In Application Authentication
Security Testing In Application AuthenticationSecurity Testing In Application Authentication
Security Testing In Application Authentication
 
Owasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developerOwasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developer
 
Nii sample pt_report
Nii sample pt_reportNii sample pt_report
Nii sample pt_report
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
 
Web Security Overview
Web Security OverviewWeb Security Overview
Web Security Overview
 
VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptx
 
Engineering Software Products: 7. security and privacy
Engineering Software Products: 7. security and privacyEngineering Software Products: 7. security and privacy
Engineering Software Products: 7. security and privacy
 
2.1 Web Vulnerabilities.pptx
2.1 Web Vulnerabilities.pptx2.1 Web Vulnerabilities.pptx
2.1 Web Vulnerabilities.pptx
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack Proxy
 
Principles for Secure Design and Software Security
Principles for Secure Design and Software Security Principles for Secure Design and Software Security
Principles for Secure Design and Software Security
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With Examples
 
Core defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applicationsCore defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applications
 
Owasp web security
Owasp web securityOwasp web security
Owasp web security
 

Recently uploaded

EMERCE - 2024 - AMSTERDAM - CROSS-PLATFORM TRACKING WITH GOOGLE ANALYTICS.pptx
EMERCE - 2024 - AMSTERDAM - CROSS-PLATFORM TRACKING WITH GOOGLE ANALYTICS.pptxEMERCE - 2024 - AMSTERDAM - CROSS-PLATFORM TRACKING WITH GOOGLE ANALYTICS.pptx
EMERCE - 2024 - AMSTERDAM - CROSS-PLATFORM TRACKING WITH GOOGLE ANALYTICS.pptxthyngster
 
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdfKantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdfSocial Samosa
 
Invezz.com - Grow your wealth with trading signals
Invezz.com - Grow your wealth with trading signalsInvezz.com - Grow your wealth with trading signals
Invezz.com - Grow your wealth with trading signalsInvezz1
 
VIP High Class Call Girls Jamshedpur Anushka 8250192130 Independent Escort Se...
VIP High Class Call Girls Jamshedpur Anushka 8250192130 Independent Escort Se...VIP High Class Call Girls Jamshedpur Anushka 8250192130 Independent Escort Se...
VIP High Class Call Girls Jamshedpur Anushka 8250192130 Independent Escort Se...Suhani Kapoor
 
100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptx100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptxAnupama Kate
 
VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...
VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...
VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...Suhani Kapoor
 
VIP High Class Call Girls Bikaner Anushka 8250192130 Independent Escort Servi...
VIP High Class Call Girls Bikaner Anushka 8250192130 Independent Escort Servi...VIP High Class Call Girls Bikaner Anushka 8250192130 Independent Escort Servi...
VIP High Class Call Girls Bikaner Anushka 8250192130 Independent Escort Servi...Suhani Kapoor
 
Saket, (-DELHI )+91-9654467111-(=)CHEAP Call Girls in Escorts Service Saket C...
Saket, (-DELHI )+91-9654467111-(=)CHEAP Call Girls in Escorts Service Saket C...Saket, (-DELHI )+91-9654467111-(=)CHEAP Call Girls in Escorts Service Saket C...
Saket, (-DELHI )+91-9654467111-(=)CHEAP Call Girls in Escorts Service Saket C...Sapana Sha
 
(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Service
(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Service(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Service
(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Serviceranjana rawat
 
VIP Call Girls in Amravati Aarohi 8250192130 Independent Escort Service Amravati
VIP Call Girls in Amravati Aarohi 8250192130 Independent Escort Service AmravatiVIP Call Girls in Amravati Aarohi 8250192130 Independent Escort Service Amravati
VIP Call Girls in Amravati Aarohi 8250192130 Independent Escort Service AmravatiSuhani Kapoor
 
Predicting Employee Churn: A Data-Driven Approach Project Presentation
Predicting Employee Churn: A Data-Driven Approach Project PresentationPredicting Employee Churn: A Data-Driven Approach Project Presentation
Predicting Employee Churn: A Data-Driven Approach Project PresentationBoston Institute of Analytics
 
Call Girls in Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls in Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Defence Colony Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
RA-11058_IRR-COMPRESS Do 198 series of 1998
RA-11058_IRR-COMPRESS Do 198 series of 1998RA-11058_IRR-COMPRESS Do 198 series of 1998
RA-11058_IRR-COMPRESS Do 198 series of 1998YohFuh
 
Customer Service Analytics - Make Sense of All Your Data.pptx
Customer Service Analytics - Make Sense of All Your Data.pptxCustomer Service Analytics - Make Sense of All Your Data.pptx
Customer Service Analytics - Make Sense of All Your Data.pptxEmmanuel Dauda
 
dokumen.tips_chapter-4-transient-heat-conduction-mehmet-kanoglu.ppt
dokumen.tips_chapter-4-transient-heat-conduction-mehmet-kanoglu.pptdokumen.tips_chapter-4-transient-heat-conduction-mehmet-kanoglu.ppt
dokumen.tips_chapter-4-transient-heat-conduction-mehmet-kanoglu.pptSonatrach
 
VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130
VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130
VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130Suhani Kapoor
 
Indian Call Girls in Abu Dhabi O5286O24O8 Call Girls in Abu Dhabi By Independ...
Indian Call Girls in Abu Dhabi O5286O24O8 Call Girls in Abu Dhabi By Independ...Indian Call Girls in Abu Dhabi O5286O24O8 Call Girls in Abu Dhabi By Independ...
Indian Call Girls in Abu Dhabi O5286O24O8 Call Girls in Abu Dhabi By Independ...dajasot375
 
High Class Call Girls Noida Sector 39 Aarushi 🔝8264348440🔝 Independent Escort...
High Class Call Girls Noida Sector 39 Aarushi 🔝8264348440🔝 Independent Escort...High Class Call Girls Noida Sector 39 Aarushi 🔝8264348440🔝 Independent Escort...
High Class Call Girls Noida Sector 39 Aarushi 🔝8264348440🔝 Independent Escort...soniya singh
 
Unveiling Insights: The Role of a Data Analyst
Unveiling Insights: The Role of a Data AnalystUnveiling Insights: The Role of a Data Analyst
Unveiling Insights: The Role of a Data AnalystSamantha Rae Coolbeth
 

Recently uploaded (20)

EMERCE - 2024 - AMSTERDAM - CROSS-PLATFORM TRACKING WITH GOOGLE ANALYTICS.pptx
EMERCE - 2024 - AMSTERDAM - CROSS-PLATFORM TRACKING WITH GOOGLE ANALYTICS.pptxEMERCE - 2024 - AMSTERDAM - CROSS-PLATFORM TRACKING WITH GOOGLE ANALYTICS.pptx
EMERCE - 2024 - AMSTERDAM - CROSS-PLATFORM TRACKING WITH GOOGLE ANALYTICS.pptx
 
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdfKantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
 
Invezz.com - Grow your wealth with trading signals
Invezz.com - Grow your wealth with trading signalsInvezz.com - Grow your wealth with trading signals
Invezz.com - Grow your wealth with trading signals
 
VIP High Class Call Girls Jamshedpur Anushka 8250192130 Independent Escort Se...
VIP High Class Call Girls Jamshedpur Anushka 8250192130 Independent Escort Se...VIP High Class Call Girls Jamshedpur Anushka 8250192130 Independent Escort Se...
VIP High Class Call Girls Jamshedpur Anushka 8250192130 Independent Escort Se...
 
100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptx100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptx
 
Delhi 99530 vip 56974 Genuine Escort Service Call Girls in Kishangarh
Delhi 99530 vip 56974 Genuine Escort Service Call Girls in KishangarhDelhi 99530 vip 56974 Genuine Escort Service Call Girls in Kishangarh
Delhi 99530 vip 56974 Genuine Escort Service Call Girls in Kishangarh
 
VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...
VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...
VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...
 
VIP High Class Call Girls Bikaner Anushka 8250192130 Independent Escort Servi...
VIP High Class Call Girls Bikaner Anushka 8250192130 Independent Escort Servi...VIP High Class Call Girls Bikaner Anushka 8250192130 Independent Escort Servi...
VIP High Class Call Girls Bikaner Anushka 8250192130 Independent Escort Servi...
 
Saket, (-DELHI )+91-9654467111-(=)CHEAP Call Girls in Escorts Service Saket C...
Saket, (-DELHI )+91-9654467111-(=)CHEAP Call Girls in Escorts Service Saket C...Saket, (-DELHI )+91-9654467111-(=)CHEAP Call Girls in Escorts Service Saket C...
Saket, (-DELHI )+91-9654467111-(=)CHEAP Call Girls in Escorts Service Saket C...
 
(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Service
(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Service(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Service
(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Service
 
VIP Call Girls in Amravati Aarohi 8250192130 Independent Escort Service Amravati
VIP Call Girls in Amravati Aarohi 8250192130 Independent Escort Service AmravatiVIP Call Girls in Amravati Aarohi 8250192130 Independent Escort Service Amravati
VIP Call Girls in Amravati Aarohi 8250192130 Independent Escort Service Amravati
 
Predicting Employee Churn: A Data-Driven Approach Project Presentation
Predicting Employee Churn: A Data-Driven Approach Project PresentationPredicting Employee Churn: A Data-Driven Approach Project Presentation
Predicting Employee Churn: A Data-Driven Approach Project Presentation
 
Call Girls in Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls in Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Defence Colony Delhi 💯Call Us 🔝8264348440🔝
 
RA-11058_IRR-COMPRESS Do 198 series of 1998
RA-11058_IRR-COMPRESS Do 198 series of 1998RA-11058_IRR-COMPRESS Do 198 series of 1998
RA-11058_IRR-COMPRESS Do 198 series of 1998
 
Customer Service Analytics - Make Sense of All Your Data.pptx
Customer Service Analytics - Make Sense of All Your Data.pptxCustomer Service Analytics - Make Sense of All Your Data.pptx
Customer Service Analytics - Make Sense of All Your Data.pptx
 
dokumen.tips_chapter-4-transient-heat-conduction-mehmet-kanoglu.ppt
dokumen.tips_chapter-4-transient-heat-conduction-mehmet-kanoglu.pptdokumen.tips_chapter-4-transient-heat-conduction-mehmet-kanoglu.ppt
dokumen.tips_chapter-4-transient-heat-conduction-mehmet-kanoglu.ppt
 
VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130
VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130
VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130
 
Indian Call Girls in Abu Dhabi O5286O24O8 Call Girls in Abu Dhabi By Independ...
Indian Call Girls in Abu Dhabi O5286O24O8 Call Girls in Abu Dhabi By Independ...Indian Call Girls in Abu Dhabi O5286O24O8 Call Girls in Abu Dhabi By Independ...
Indian Call Girls in Abu Dhabi O5286O24O8 Call Girls in Abu Dhabi By Independ...
 
High Class Call Girls Noida Sector 39 Aarushi 🔝8264348440🔝 Independent Escort...
High Class Call Girls Noida Sector 39 Aarushi 🔝8264348440🔝 Independent Escort...High Class Call Girls Noida Sector 39 Aarushi 🔝8264348440🔝 Independent Escort...
High Class Call Girls Noida Sector 39 Aarushi 🔝8264348440🔝 Independent Escort...
 
Unveiling Insights: The Role of a Data Analyst
Unveiling Insights: The Role of a Data AnalystUnveiling Insights: The Role of a Data Analyst
Unveiling Insights: The Role of a Data Analyst
 

A7 Missing Function Level Access Control

  • 1. OWASP Top 10 - 2013 Topics A7: Missing Function Level Access Control IT 6873 – INFORMATION SECURITY SEMINAR FALL 2014 Steven Green
  • 2. AGENDA AND OVERVIEW • Introduction to topic A7: Missing Function Level Access Control • Explanation of Missing Function Level Access Control & Authorization • How this Vulnerability Occurs • Ease of Attack • Examples of Attacks • Are you Vulnerable? How to know… • Defenses to this Vulnerability
  • 3. OWASP TOP 10 – 2013 (Open Web Application Security Project) • Lists Top 10 Web Application Security Risks • A7 – Missing Function Level Access Control
  • 4. 2013 OWASP Top 10 vs. 2010 OWASP Top 10 In 2010, topic was known as: Failure to Restrict URL Access In 2013, topic now known as: Missing Function Level Access Control
  • 5. What is MISSING FUNCTION LEVEL ACCESS CONTROL?? • Any user with Network Access can send requests to the server… • http://www.example.com • http://www.example.com/app=page0 • An Attacker can simply change the URL or parameter to reach unauthorized functionality… • http://www.example.com/admin=cntrl
  • 6. What is MISSING FUNCTION LEVEL ACCESS CONTROL?? (cont.) • That grants them access to privileged functions!! • Without proper verification of rights, you get MISSING Function Level Access Control!
  • 7. AUTHORIZATION • Authorization – Ensures that the authenticated user has the appropriate privileges to view/control resources (i.e. ACCESS) I. Only authorized users can perform certain actions II. Control access to protected resources III. Prevent privilege escalation attacks
  • 8. AUTHORIZATION (cont.) Breakdown In or Missing Function Misconfigured Authorization Level Access Control
  • 9. HOW DOES THIS OCCUR? • Applications do not always protect application functions properly… • This type of vulnerability results from insufficient protection of sensitive request handlers within an application • Application may simple hide access to sensitive actions • Fail to enforce sufficient authorization for some actions • Expose actions through a user-controlled request parameter
  • 10. COMMON ACCESS CONTROL ISSUES: • All or Nothing approach – all users have equal privileges • Security by Obscurity – relying on security by simply hiding the path and hoping it’s not found • Shared Accounts – make it difficult to figure out if administrator is malicious or an honest administrator • Root – Web and application processes run as root • Authentication – Many admin. interfaces only require a password for authentication • Admin. Interfaces – not designed as secure as other user-level interfaces because admins are considered ‘trusted’
  • 11. EASE OF ATTACKS UPON APPLICATIONS • According to the OWASP scale of Exploitability, this is a very easy vulnerability for an attacker to perpetrate • SIMPLY GUESSING AT THE URL CAN YIELD RESULTS
  • 12. COMMON ATTACKS ON ACCESS CONTROL: • Vertical Access Control – Standard User accessing Admin functionality • Horizontal Access Control – User has same role as another user, accesses their private data • Business Login Access Control – Abuse of linked activities that collectively realize a business objective
  • 13. ATTACK EXAMPLES • Example 1: Force-Browsing the URL • You go to a site and notice the URL: http://randomsite.com • You click a link or application and see this URL: http://randomsite.com/app/getappinfo • Now, you simply add a parameter to see if the page exists. If so, you now have administrator access to the application: http://randomsite.com/app/admin_getappinfo ADMINISTRATOR ACCESS HAS BEEN ACHIEVED!
  • 14. ATTACK EXAMPLES (cont.) • Example 2: Horizontal Access Attack • User goes to a site, logs in to confirm authorization to site resources: http://www.examplesite.com/app2/userID=21775 (Notice, userID is provided in the URL) • User changes the ‘userID’ to that of another user. http://www.examplesite.com/app2/userID=45185 • If proper authorization procedures are not in place, the user now has the ability to login as other users simply by changing the userID ALL USER DATA HAS NOW BEEN COMPROMISED!!
  • 15. ARE YOU VULNERABLE? • Several methods to determine if your site is vulnerable to this type of attack: 1. Attempt to access administrative components as a regular user 2. Using a proxy, browse applications as administrator and then try to access the restricted pages as a regular user 3. Determine how administrators are authenticated in the application and ensure proper procedures are enforced. 4. Use of automated tools such as DotDotPwn or Nikto2
  • 16. PREVENTING ATTACKS • Use an easy authorization module to invoke rules • Don’t hard code, ensure module can allow the admin. to update and audit roles easily • By default, DENY ACCESS! Provide access based on roles for every function • Ensure authorization is enforced in the controller or business logic • Avoid assigning permissions on a per-user basis • Log all failed attempts to access restricted locations and review periodically
  • 17. SUMMARY • MISSING FUNCTION LEVEL ACCESS CONTROL ATTACKS are… • Easy to Perform • Easy to Prevent • Somewhat Easy to Detect • Potential Impact is pretty severe based upon what kinds of data are stored in the authorized areas
  • 18. FOLLOW-UP DISCUSSION QUESTIONS • 1. Have you experienced this type of vulnerability ‘in the wild’? If so, please provide your example/experience and how it left you feeling knowing that it exists. • 2. The Common Weakness Enumeration website (www.cwe.mitre.org) provides a dictionary of the most common types of software weaknesses that have been found. Please find an attack relative to this topic and describe the attack and a detection method available to find this type of vulnerability. • 3. Path Traversal is a form of MISSING FUNCTION LEVEL ACCESS CONTROL. I mentioned one tool (DotDotPwn) used to detect these types of attacks. Can you find any additional tools that could be used? Provide a link and brief overview of your findings.
  • 19. REFERENCES • https://www.owasp.org/index.php/Top_10_2013-About_OWASP • http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf • https://bounty.github.com/classifications/missing-function-level-access-control.html • https://www.owasp.org/index.php/Access_Control_Cheat_Sheet • https://www.owasp.org/index.php/Guide_to_Authorization#Best_Practices_in_Action
  • 20. RESOURCE & READING LIST For more information regarding MFLAC, Authorization and other topics discussed, please review these other resources: • http://msdn.microsoft.com/en-us/library/vstudio/f13d73y6(v=vs.100).aspx • https://bounty.github.com/index.html#open-bounties • http://www.youtube.com/watch?v=phDfFNVCONo • https://www.youtube.com/watch?v=ggobmsuiL0c • https://www.owasp.org/index.php/Forced_browsing • https://www.owasp.org/index.php/OWASP_Testing_Project • https://www.cirt.net/Nikto2 • http://dotdotpwn.blogspot.com/ • https://www.owasp.org/index.php/Testing_Directory_traversal/file_include_(OTG-AUTHZ- 001) • http://www.darkreading.com/application-security/application-security-we-still-have-a-long- way-to-go/d/d-id/1005798