1. OWASP Top 10 - 2013 Topics
A7: Missing Function Level Access Control
IT 6873 – INFORMATION SECURITY SEMINAR
FALL 2014
Steven Green
2. AGENDA AND OVERVIEW
• Introduction to topic A7: Missing Function Level Access Control
• Explanation of Missing Function Level Access Control &
Authorization
• How this Vulnerability Occurs
• Ease of Attack
• Examples of Attacks
• Are you Vulnerable? How to know…
• Defenses to this Vulnerability
3. OWASP TOP 10 – 2013
(Open Web Application Security Project)
• Lists Top 10 Web Application Security Risks
• A7 – Missing Function Level Access Control
4. 2013 OWASP Top 10 vs. 2010 OWASP Top 10
In 2010, topic was known as:
Failure to Restrict URL Access
In 2013, topic now known as:
Missing Function Level Access
Control
5. What is MISSING FUNCTION LEVEL ACCESS
CONTROL??
• Any user with Network Access can send requests to the server…
• http://www.example.com
• http://www.example.com/app=page0
• An Attacker can simply change the URL or parameter to reach
unauthorized functionality…
• http://www.example.com/admin=cntrl
6. What is MISSING FUNCTION LEVEL ACCESS
CONTROL?? (cont.)
• That grants them access to privileged functions!!
• Without proper verification of rights, you get MISSING Function
Level Access Control!
7. AUTHORIZATION
• Authorization – Ensures that the authenticated user has the
appropriate privileges to view/control resources (i.e. ACCESS)
I. Only authorized users can perform certain actions
II. Control access to protected resources
III. Prevent privilege escalation attacks
9. HOW DOES THIS OCCUR?
• Applications do not always protect application functions properly…
• This type of vulnerability results from insufficient protection of
sensitive request handlers within an application
• Application may simple hide access to sensitive actions
• Fail to enforce sufficient authorization for some actions
• Expose actions through a user-controlled request parameter
10. COMMON ACCESS CONTROL ISSUES:
• All or Nothing approach – all users have equal privileges
• Security by Obscurity – relying on security by simply hiding the path and hoping it’s
not found
• Shared Accounts – make it difficult to figure out if administrator is malicious or an
honest administrator
• Root – Web and application processes run as root
• Authentication – Many admin. interfaces only require a password for authentication
• Admin. Interfaces – not designed as secure as other user-level interfaces because
admins are considered ‘trusted’
11. EASE OF ATTACKS UPON APPLICATIONS
• According to the OWASP scale of Exploitability, this is a very easy
vulnerability for an attacker to perpetrate
• SIMPLY GUESSING AT THE URL CAN YIELD RESULTS
12. COMMON ATTACKS ON ACCESS CONTROL:
• Vertical Access Control – Standard User accessing Admin functionality
• Horizontal Access Control – User has same role as another user,
accesses their private data
• Business Login Access Control – Abuse of linked activities that
collectively realize a business objective
13. ATTACK EXAMPLES
• Example 1: Force-Browsing the URL
• You go to a site and notice the URL:
http://randomsite.com
• You click a link or application and see this URL:
http://randomsite.com/app/getappinfo
• Now, you simply add a parameter to see if the page exists. If so, you now have
administrator access to the application:
http://randomsite.com/app/admin_getappinfo
ADMINISTRATOR ACCESS HAS BEEN ACHIEVED!
14. ATTACK EXAMPLES (cont.)
• Example 2: Horizontal Access Attack
• User goes to a site, logs in to confirm authorization to site resources:
http://www.examplesite.com/app2/userID=21775
(Notice, userID is provided in the URL)
• User changes the ‘userID’ to that of another user.
http://www.examplesite.com/app2/userID=45185
• If proper authorization procedures are not in place, the user now has the ability to login as
other users simply by changing the userID
ALL USER DATA HAS NOW BEEN COMPROMISED!!
15. ARE YOU VULNERABLE?
• Several methods to determine if your site is vulnerable to this type
of attack:
1. Attempt to access administrative components as a regular user
2. Using a proxy, browse applications as administrator and then try to access the
restricted pages as a regular user
3. Determine how administrators are authenticated in the application and ensure
proper procedures are enforced.
4. Use of automated tools such as DotDotPwn or Nikto2
16. PREVENTING ATTACKS
• Use an easy authorization module to invoke rules
• Don’t hard code, ensure module can allow the admin. to update
and audit roles easily
• By default, DENY ACCESS! Provide access based on roles for every
function
• Ensure authorization is enforced in the controller or business logic
• Avoid assigning permissions on a per-user basis
• Log all failed attempts to access restricted locations and review
periodically
17. SUMMARY
• MISSING FUNCTION LEVEL ACCESS CONTROL ATTACKS are…
• Easy to Perform
• Easy to Prevent
• Somewhat Easy to Detect
• Potential Impact is pretty severe based upon what kinds of data are stored in the
authorized areas
18. FOLLOW-UP DISCUSSION QUESTIONS
• 1. Have you experienced this type of vulnerability ‘in the wild’? If so,
please provide your example/experience and how it left you feeling
knowing that it exists.
• 2. The Common Weakness Enumeration website (www.cwe.mitre.org)
provides a dictionary of the most common types of software weaknesses
that have been found. Please find an attack relative to this topic and
describe the attack and a detection method available to find this type of
vulnerability.
• 3. Path Traversal is a form of MISSING FUNCTION LEVEL ACCESS
CONTROL. I mentioned one tool (DotDotPwn) used to detect these types
of attacks. Can you find any additional tools that could be used? Provide
a link and brief overview of your findings.