SlideShare a Scribd company logo
Broken Authentication & Authorization
Disclaimer: All the views/data presented are my own and do not reflect the opinion of my current/past employers.
Who am I ?
Sarwar Jahan M.
AppSec Engineer at
• Secure Code Review|Web and Mobile App Security|Threat Modelling
• Synack & Bugcrowd leaderboard: Top 10 researchers (2016)
• Spoken at: n|uCon ’17 , HackCon #13
sarwarjahanm@outlook.com
+91 77 9597 8228 https://in.linkedin.com/in/sarwarjahanm
@sarwarjahanm
Agenda
• Authentication?
• Authorization?
• Case Studies
– Authentication Bypass
• Case Studies
– Broken Authorization and Privilege Escalation
• Remediation
• Q/A
Authentication
Authorization
Case Studies
Authentication Bypass
Case 1: Misuse of Auth-token
Login Scenario:
• Valid Credential => Login status=Success & Auth-token returned in
response
• Wrong credential => Login status=Failed & blank Auth-token returned
Attack Scenario:
• Attacker (user) submits valid credential.
• Intercepts the 1st Login response, copies the Auth-token & drops the
response.
• Sends login request with Target UserID+wrong Password.
• In response, sets Login status=Success & Adds his own Auth-token
value.
RESULT: Attacker gets access to Victim’s account!
Case 2 – Cookie manipulation
Login Scenario: User-ID in session Cookie
• Successful login => App sets session cookie->user-ID (numeric value)
Attack Scenario:
• Attacker (user) logs in to application.
• Using any cookie editor, replaces the user-ID value in cookie with that of a victim &
refreshes the page.
RESULT: Attacker gets access to Victim’s account!
Case 3 - Session Invalidation
Login Scenario:
• Multi-login allowed & Session not expired after Password reset (>3 months).
Attack Scenario:
• Suppose a user identifies that the account is compromised & changes the
password
• The active session still remains active and there was no way to invalidate the
attacker’s session
RESULT: Once Compromised, attacker gets lifetime access of Victim’s account.
Case 4 – Account takeover by Forgot
Password functionality
Password Reset Scenario:
• Forgot password page gives option to select recovery option (OTP/email).
• Part of the options are masked with asterisk(*).
Attack Scenario:
• Attacker provides victim’s user ID in forgot password page.
• Selects any recovery option & using proxy tool can see and modify the
OTP/email option value in request
RESULT: Attacker receives recovery OTP/email and compromises the victim
account
Case 5 – Authentication bypass in Mobile App
Login Scenario:
• On successful login, user session was stored in local /AppData/ folder (sqlite
db).
Attack Scenario:
• After analyzing the sqlite db, it was observed that the stored session is
nothing but triple encoding of the username in the format [{username}]
• Attacker encodes the victim’s username thrice and pushes in the device’s
AppData folder.
• Opens the App in device.
RESULT: Attacker gets logged in to victim’s account
Case 6 – Bypass OTP & Transfer Money
from Mobile Wallet
WebService Calls:
• 1st call: UserID+Registered_Mobile_No => OTP sent to registered mobile number
• 2nd call: Recipient+Amount+OTP => Transfer money
• UserID+wrong_Mobile_No => Proper Error message
• Recipient+Amount+wrong_OTP => Transaction unsuccessful with proper Error
message
Attack Scenario:
• UserID+wrong_Mobile_No with symbol ~ => error message reveals
Registered_Mobil_No
• Initiate valid call to generate OTP (OTP sent to Victim’s mobile so attacker doesn’t
have the OTP)
• Recipient+Amount+wrong_OTP with symbol ~ error message reveals actual OTP
• Recipient+Amount+retrieved OTP => Transaction Successful
RESULT: From Step-by-step error messages, Attacker debits money from victim’s
bank account
Case Studies
Broken Authorization and Privilege Escalation
Case 1 - Boolean based privileges
Application Design:
• Application has only two privileges – Admin & normal user.
• Keeps track of privilege by Boolean parameter
[isAdmin/Admin/SuperManager]=[true/false].
• Admins have additional content which are unavailable for normal user.
Attack Scenario:
• Attacker who is a Normal low privilege user logs in with valid credential
• In response body makes the Boolean value as true
RESULT: Normal user gets admin privilege.
Case 2 – Role based privileges
Application Design:
• Application has more than two privileges.
• Keeps track of privilege by integer numbers (e,g, role=0|1|2) or Constant
Strings (e,g, role=Manager|Admin|user).
• Roles stored in cookie.
Attack Scenario:
• Attacker logs in as low privilege user.
• Edits the cookie and changes the role value
RESULT: Attacker escalates the privilege.
Case 2.1 - Design Flaw – Low priv user updates his
role
Application Design:
• The PeopleManager (role=1) can create/edit other users
with view-only role (role=2). Only super admins (role=0) can
change the role of other users or delete users.
PeopleManager also cannot edit his own account.
Attack Scenario:
• While creating a new user, PeopleManager can use proxy
tool and create new users with admin priv by changing role
parameter to 0.
• While editing other user’s details, PeopleManager replaces
the userID with his own, adds “role” parameter to the
request and sets the value to 0
RESULT: Low Privilege user updates his role to Super-Admin
Case 3 - GUI Based/Client-side privilege
enforcement
Application Design:
• Based on different roles, the application disables/hides privileged features from
low privilege users
E,g, Disabling/Hiding HTML elements
Attack Scenario:
• Using browser dev tool (F12), attacker can inspect the elements and remove the
rules enforced on the basis of roles. Thus can escalate the privilege and bypass
the GUI Based/Client-side privilege enforcement
RESULT: Attacker escalates the privilege and perform disabled/hidden operations.
Case 4 - IDOR to High Priv. pages, Access High
Privilege functions
Application Design:
• High privileged pages are removed from the view for low privileged users.
• Low privilege users are not provided access to sensitive/high privilege functions/features.
Attack Scenarios:
• Attacker either guess or finds out the high privileged pages names/references and calls the
high privileged pages directly.
• Attackers uses Proxy-tool and calls the high privilege function by name which they are not
having access.
• Because of Missing function level access control, it was possible to call and execute high
privilege functions.
RESULT: Attacker gets access to high privileged pages.
Low privilege attacker executes High privilege function.
Case 5 - Design Flaw - user sends SPAM mail to
anyone
Application Design:
• Normal Users can send mails only to the Team members who are available
in drop down recipient list.
• Only Admins can send mails to members of different team
Attack Scenario:
• Using proxy tool, normal user can modify the recipient address to any non
team member’s address, also he can change the sender email ID
RESULT: Attacker sends mail to any non-team member person on behalf of
someone else (SPAMMING)
Case 6 – Deleting project by IDOR
Application Design:
• A normal user who is not owner can only view a project. There is no delete option for the
normal user
• A user can be Normal user for one project but Admin for other projects.
Attack Scenario:
• Normal user views the Project and copies the Project ID from URL
• Normal user himself creates a Project for which he/she becomes owner
• Now for this new project delete option is available
• Clicks delete and using any proxy tool replaces the ProjectID with that of previous project
RESULT: Normal user deleted a Project for which he/she is not owner but a normal member
Responsible Disclosure: https://hackerone.com/reports/85401
Case 7 – Injecting HTML code snippet
Application Design:
• Low privilege normal user doesn’t have permission to add new team
members
Attack Scenario:
• By adding the following HTML code snippet, a normal user was able to add
new team members
<a class="button-link u-gutter js-manage-members" href="#"><span class="icon-sm icon-member"></span> Add
Members</a>
RESULT: Low Privilege normal user added New team members which he did not have
privilege to do
Responsible Disclosure: https://hackerone.com/reports/92050
Remediation
Remediation - Authentication Bypass
Caption Check
Mapping of auth-token and userID
Guessable User identifier in cookie
Proper Session invalidation
Strong Password reset functionality
Response body contains debugging error message
App Data contains sensitive information
Remediation - Authorization Bypass
Caption Check
Map user role with session ID
GUI based/Client-side privilege implementation
Proper Access Control Mechanism
Use IDOR
Server-side validation/Business Logic validation
Questions/Suggestions:
sarwarjahanm@outlook.com
AusCERT 2018

More Related Content

Similar to AusCERT 2018

CNIT 129S: 11: Attacking Application Logic
CNIT 129S: 11: Attacking Application LogicCNIT 129S: 11: Attacking Application Logic
CNIT 129S: 11: Attacking Application Logic
Sam Bowne
 
Security Testing In Application Authentication
Security Testing In Application AuthenticationSecurity Testing In Application Authentication
Security Testing In Application Authentication
RapidValue
 
Requirements Tool
Requirements ToolRequirements Tool
Requirements Tool
gilashikwa
 
Fully dressed Style.docx
Fully dressed Style.docxFully dressed Style.docx
Fully dressed Style.docx
SaimSyed1
 
Identiverse 2019 Security Key Lifecycle
Identiverse 2019 Security Key LifecycleIdentiverse 2019 Security Key Lifecycle
Identiverse 2019 Security Key Lifecycle
derekhanson13
 
Web PenTest Sample Report
Web PenTest Sample ReportWeb PenTest Sample Report
Web PenTest Sample Report
Octogence
 
7 Deadly Sins in Azure AD App Development
7 Deadly Sins in Azure AD App Development7 Deadly Sins in Azure AD App Development
7 Deadly Sins in Azure AD App Development
Joonas Westlin
 
Dev Dives: Master advanced authentication and performance in Productivity Act...
Dev Dives: Master advanced authentication and performance in Productivity Act...Dev Dives: Master advanced authentication and performance in Productivity Act...
Dev Dives: Master advanced authentication and performance in Productivity Act...
UiPathCommunity
 
Owasp security testing methodlogies –part2
Owasp security testing methodlogies –part2Owasp security testing methodlogies –part2
Owasp security testing methodlogies –part2
robin_bene
 
Jresearch Flexess presentation
Jresearch Flexess presentationJresearch Flexess presentation
Jresearch Flexess presentation
Stanislav Spiridonov
 
How to Find and Fix Broken Authentication Vulnerability
How to Find and Fix Broken Authentication VulnerabilityHow to Find and Fix Broken Authentication Vulnerability
How to Find and Fix Broken Authentication Vulnerability
AshKhan85
 
Codendi Administration Guide
Codendi Administration GuideCodendi Administration Guide
Codendi Administration Guide
Codendi
 
Module 1 - Information Assurance and Security 2.pdf
Module 1 - Information Assurance and Security 2.pdfModule 1 - Information Assurance and Security 2.pdf
Module 1 - Information Assurance and Security 2.pdf
Humphrey Humphrey
 
API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentesters
Inon Shkedy
 
Bhaurao 2+ Experience in Node.js
Bhaurao 2+ Experience in Node.jsBhaurao 2+ Experience in Node.js
Bhaurao 2+ Experience in Node.js
Bhaurao Birajdar
 
A7 Missing Function Level Access Control
A7   Missing Function Level Access ControlA7   Missing Function Level Access Control
A7 Missing Function Level Access Control
stevil1224
 
Dynamic watermarking
Dynamic watermarkingDynamic watermarking
Dynamic watermarking
Editor Jacotech
 
IGNOU BCS-051 Software Engineering December 2022 - Exam Solutions.docx
IGNOU BCS-051 Software Engineering December 2022 - Exam Solutions.docxIGNOU BCS-051 Software Engineering December 2022 - Exam Solutions.docx
IGNOU BCS-051 Software Engineering December 2022 - Exam Solutions.docx
AnilVhatkar
 
Oauth 2.0 Security Considerations for Client Applications
Oauth 2.0 Security Considerations for Client ApplicationsOauth 2.0 Security Considerations for Client Applications
Oauth 2.0 Security Considerations for Client Applications
Kasun Dharmadasa
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarj
Pavan Kumar J
 

Similar to AusCERT 2018 (20)

CNIT 129S: 11: Attacking Application Logic
CNIT 129S: 11: Attacking Application LogicCNIT 129S: 11: Attacking Application Logic
CNIT 129S: 11: Attacking Application Logic
 
Security Testing In Application Authentication
Security Testing In Application AuthenticationSecurity Testing In Application Authentication
Security Testing In Application Authentication
 
Requirements Tool
Requirements ToolRequirements Tool
Requirements Tool
 
Fully dressed Style.docx
Fully dressed Style.docxFully dressed Style.docx
Fully dressed Style.docx
 
Identiverse 2019 Security Key Lifecycle
Identiverse 2019 Security Key LifecycleIdentiverse 2019 Security Key Lifecycle
Identiverse 2019 Security Key Lifecycle
 
Web PenTest Sample Report
Web PenTest Sample ReportWeb PenTest Sample Report
Web PenTest Sample Report
 
7 Deadly Sins in Azure AD App Development
7 Deadly Sins in Azure AD App Development7 Deadly Sins in Azure AD App Development
7 Deadly Sins in Azure AD App Development
 
Dev Dives: Master advanced authentication and performance in Productivity Act...
Dev Dives: Master advanced authentication and performance in Productivity Act...Dev Dives: Master advanced authentication and performance in Productivity Act...
Dev Dives: Master advanced authentication and performance in Productivity Act...
 
Owasp security testing methodlogies –part2
Owasp security testing methodlogies –part2Owasp security testing methodlogies –part2
Owasp security testing methodlogies –part2
 
Jresearch Flexess presentation
Jresearch Flexess presentationJresearch Flexess presentation
Jresearch Flexess presentation
 
How to Find and Fix Broken Authentication Vulnerability
How to Find and Fix Broken Authentication VulnerabilityHow to Find and Fix Broken Authentication Vulnerability
How to Find and Fix Broken Authentication Vulnerability
 
Codendi Administration Guide
Codendi Administration GuideCodendi Administration Guide
Codendi Administration Guide
 
Module 1 - Information Assurance and Security 2.pdf
Module 1 - Information Assurance and Security 2.pdfModule 1 - Information Assurance and Security 2.pdf
Module 1 - Information Assurance and Security 2.pdf
 
API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentesters
 
Bhaurao 2+ Experience in Node.js
Bhaurao 2+ Experience in Node.jsBhaurao 2+ Experience in Node.js
Bhaurao 2+ Experience in Node.js
 
A7 Missing Function Level Access Control
A7   Missing Function Level Access ControlA7   Missing Function Level Access Control
A7 Missing Function Level Access Control
 
Dynamic watermarking
Dynamic watermarkingDynamic watermarking
Dynamic watermarking
 
IGNOU BCS-051 Software Engineering December 2022 - Exam Solutions.docx
IGNOU BCS-051 Software Engineering December 2022 - Exam Solutions.docxIGNOU BCS-051 Software Engineering December 2022 - Exam Solutions.docx
IGNOU BCS-051 Software Engineering December 2022 - Exam Solutions.docx
 
Oauth 2.0 Security Considerations for Client Applications
Oauth 2.0 Security Considerations for Client ApplicationsOauth 2.0 Security Considerations for Client Applications
Oauth 2.0 Security Considerations for Client Applications
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarj
 

Recently uploaded

Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
kumardaparthi1024
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
IndexBug
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
Ivanti
 
CAKE: Sharing Slices of Confidential Data on Blockchain
CAKE: Sharing Slices of Confidential Data on BlockchainCAKE: Sharing Slices of Confidential Data on Blockchain
CAKE: Sharing Slices of Confidential Data on Blockchain
Claudio Di Ciccio
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Tosin Akinosho
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
Edge AI and Vision Alliance
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 

Recently uploaded (20)

Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
 
CAKE: Sharing Slices of Confidential Data on Blockchain
CAKE: Sharing Slices of Confidential Data on BlockchainCAKE: Sharing Slices of Confidential Data on Blockchain
CAKE: Sharing Slices of Confidential Data on Blockchain
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 

AusCERT 2018

  • 1. Broken Authentication & Authorization Disclaimer: All the views/data presented are my own and do not reflect the opinion of my current/past employers.
  • 2. Who am I ? Sarwar Jahan M. AppSec Engineer at • Secure Code Review|Web and Mobile App Security|Threat Modelling • Synack & Bugcrowd leaderboard: Top 10 researchers (2016) • Spoken at: n|uCon ’17 , HackCon #13 sarwarjahanm@outlook.com +91 77 9597 8228 https://in.linkedin.com/in/sarwarjahanm @sarwarjahanm
  • 3. Agenda • Authentication? • Authorization? • Case Studies – Authentication Bypass • Case Studies – Broken Authorization and Privilege Escalation • Remediation • Q/A
  • 5.
  • 7.
  • 9. Case 1: Misuse of Auth-token Login Scenario: • Valid Credential => Login status=Success & Auth-token returned in response • Wrong credential => Login status=Failed & blank Auth-token returned Attack Scenario: • Attacker (user) submits valid credential. • Intercepts the 1st Login response, copies the Auth-token & drops the response. • Sends login request with Target UserID+wrong Password. • In response, sets Login status=Success & Adds his own Auth-token value. RESULT: Attacker gets access to Victim’s account!
  • 10. Case 2 – Cookie manipulation Login Scenario: User-ID in session Cookie • Successful login => App sets session cookie->user-ID (numeric value) Attack Scenario: • Attacker (user) logs in to application. • Using any cookie editor, replaces the user-ID value in cookie with that of a victim & refreshes the page. RESULT: Attacker gets access to Victim’s account!
  • 11. Case 3 - Session Invalidation Login Scenario: • Multi-login allowed & Session not expired after Password reset (>3 months). Attack Scenario: • Suppose a user identifies that the account is compromised & changes the password • The active session still remains active and there was no way to invalidate the attacker’s session RESULT: Once Compromised, attacker gets lifetime access of Victim’s account.
  • 12. Case 4 – Account takeover by Forgot Password functionality Password Reset Scenario: • Forgot password page gives option to select recovery option (OTP/email). • Part of the options are masked with asterisk(*). Attack Scenario: • Attacker provides victim’s user ID in forgot password page. • Selects any recovery option & using proxy tool can see and modify the OTP/email option value in request RESULT: Attacker receives recovery OTP/email and compromises the victim account
  • 13. Case 5 – Authentication bypass in Mobile App Login Scenario: • On successful login, user session was stored in local /AppData/ folder (sqlite db). Attack Scenario: • After analyzing the sqlite db, it was observed that the stored session is nothing but triple encoding of the username in the format [{username}] • Attacker encodes the victim’s username thrice and pushes in the device’s AppData folder. • Opens the App in device. RESULT: Attacker gets logged in to victim’s account
  • 14. Case 6 – Bypass OTP & Transfer Money from Mobile Wallet WebService Calls: • 1st call: UserID+Registered_Mobile_No => OTP sent to registered mobile number • 2nd call: Recipient+Amount+OTP => Transfer money • UserID+wrong_Mobile_No => Proper Error message • Recipient+Amount+wrong_OTP => Transaction unsuccessful with proper Error message Attack Scenario: • UserID+wrong_Mobile_No with symbol ~ => error message reveals Registered_Mobil_No • Initiate valid call to generate OTP (OTP sent to Victim’s mobile so attacker doesn’t have the OTP) • Recipient+Amount+wrong_OTP with symbol ~ error message reveals actual OTP • Recipient+Amount+retrieved OTP => Transaction Successful RESULT: From Step-by-step error messages, Attacker debits money from victim’s bank account
  • 15. Case Studies Broken Authorization and Privilege Escalation
  • 16. Case 1 - Boolean based privileges Application Design: • Application has only two privileges – Admin & normal user. • Keeps track of privilege by Boolean parameter [isAdmin/Admin/SuperManager]=[true/false]. • Admins have additional content which are unavailable for normal user. Attack Scenario: • Attacker who is a Normal low privilege user logs in with valid credential • In response body makes the Boolean value as true RESULT: Normal user gets admin privilege.
  • 17. Case 2 – Role based privileges Application Design: • Application has more than two privileges. • Keeps track of privilege by integer numbers (e,g, role=0|1|2) or Constant Strings (e,g, role=Manager|Admin|user). • Roles stored in cookie. Attack Scenario: • Attacker logs in as low privilege user. • Edits the cookie and changes the role value RESULT: Attacker escalates the privilege.
  • 18. Case 2.1 - Design Flaw – Low priv user updates his role Application Design: • The PeopleManager (role=1) can create/edit other users with view-only role (role=2). Only super admins (role=0) can change the role of other users or delete users. PeopleManager also cannot edit his own account. Attack Scenario: • While creating a new user, PeopleManager can use proxy tool and create new users with admin priv by changing role parameter to 0. • While editing other user’s details, PeopleManager replaces the userID with his own, adds “role” parameter to the request and sets the value to 0 RESULT: Low Privilege user updates his role to Super-Admin
  • 19. Case 3 - GUI Based/Client-side privilege enforcement Application Design: • Based on different roles, the application disables/hides privileged features from low privilege users E,g, Disabling/Hiding HTML elements Attack Scenario: • Using browser dev tool (F12), attacker can inspect the elements and remove the rules enforced on the basis of roles. Thus can escalate the privilege and bypass the GUI Based/Client-side privilege enforcement RESULT: Attacker escalates the privilege and perform disabled/hidden operations.
  • 20. Case 4 - IDOR to High Priv. pages, Access High Privilege functions Application Design: • High privileged pages are removed from the view for low privileged users. • Low privilege users are not provided access to sensitive/high privilege functions/features. Attack Scenarios: • Attacker either guess or finds out the high privileged pages names/references and calls the high privileged pages directly. • Attackers uses Proxy-tool and calls the high privilege function by name which they are not having access. • Because of Missing function level access control, it was possible to call and execute high privilege functions. RESULT: Attacker gets access to high privileged pages. Low privilege attacker executes High privilege function.
  • 21. Case 5 - Design Flaw - user sends SPAM mail to anyone Application Design: • Normal Users can send mails only to the Team members who are available in drop down recipient list. • Only Admins can send mails to members of different team Attack Scenario: • Using proxy tool, normal user can modify the recipient address to any non team member’s address, also he can change the sender email ID RESULT: Attacker sends mail to any non-team member person on behalf of someone else (SPAMMING)
  • 22. Case 6 – Deleting project by IDOR Application Design: • A normal user who is not owner can only view a project. There is no delete option for the normal user • A user can be Normal user for one project but Admin for other projects. Attack Scenario: • Normal user views the Project and copies the Project ID from URL • Normal user himself creates a Project for which he/she becomes owner • Now for this new project delete option is available • Clicks delete and using any proxy tool replaces the ProjectID with that of previous project RESULT: Normal user deleted a Project for which he/she is not owner but a normal member Responsible Disclosure: https://hackerone.com/reports/85401
  • 23. Case 7 – Injecting HTML code snippet Application Design: • Low privilege normal user doesn’t have permission to add new team members Attack Scenario: • By adding the following HTML code snippet, a normal user was able to add new team members <a class="button-link u-gutter js-manage-members" href="#"><span class="icon-sm icon-member"></span> Add Members</a> RESULT: Low Privilege normal user added New team members which he did not have privilege to do Responsible Disclosure: https://hackerone.com/reports/92050
  • 25. Remediation - Authentication Bypass Caption Check Mapping of auth-token and userID Guessable User identifier in cookie Proper Session invalidation Strong Password reset functionality Response body contains debugging error message App Data contains sensitive information
  • 26. Remediation - Authorization Bypass Caption Check Map user role with session ID GUI based/Client-side privilege implementation Proper Access Control Mechanism Use IDOR Server-side validation/Business Logic validation