Virtually all web applications verify function level access rights before making that functionality visible in the UI. However, applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access unauthorized functionality.

And that means an attacker can simply forge the required HTTP requests needed to invoke them. The new OWASP Top Ten expands this category and provides developers with helpful guidance.

Attack Vectors

  • Authorized user changes a URL or parameter to a privileged function.
  • Anonymous users could access private functions that aren’t protected.

Possible Consequences

  • Compromised user accounts.
  • Compromised administrative accounts.
  • Unauthorized use of privileged Functionality.

Exercises

  • Manipulate the URL to access privileged Functionality.

Steps:

1.Login page.

2.Now I am intercepting the request using some tools(like Tamper data,Burp suite)

3.If userlevel=user. I will get this page.

4.Now I am changing userlevel=admin, I will get admin page.

Note:Above screenshots shows, attackers will be able to forge requests in order to access unauthorized functionality.

Prevention:

  • Consider every page; public or private?
  • If authentication is required, make sure that checks are in place.
  • If additional authorization is required, make sure that checks are in place.
  • Deny all by default; explicitly grant access to users or roles.
  • Use the permissions architecture to lock down views.
  • Don’t use the built-in admin for normal user admin tasks.

Leave a Reply

Your email address will not be published. Required fields are marked *