[TOC] # Access Control (Web Application) Access Control typically depended on Authentication and session management. 1. Authentication 2. Session management - Session -> Connection Information - Vertical Access Control - Horizontall Access Control - Context-dependent on the access controls - Prevent User performing malicious action in wrong flow. # Vertical Access Privilege Normal User -> Admin ## Unprotected URL - Flaws If the website didn't to protected the Sensitive Functional (e.g. Management Page) It will allow attacker through enumerate directory attack to disclose the sensitive page and upload the malicious web shell, result in RCE Sensitive Functionally (Not protected) ``` https://insecure-website.com/management ``` --- ### LAB-1: Admin panel Allowed Directly Access Website exists robot.txt! robots.txt  Sensitive Path Access '/administrator panel '  Solved ### LAB-2: JavaScript Leaked Sensitive URL #### Enumeration & Analysis Attack Surface (Actions-Options) - SiteMap - Content Discover - Find Script - Dynamic Parameter (Attacker Surface ) Find Script  #### Identify **Testing** Test-> https://0afc002903eeef998353afd7002600a4.web-security-academy.net/admin-o9rpyl **Flaw Design** JavaScript Leaked Sensitive URL  **Defense Mechanism ** None! #### Exploit   Solved ## Parameter-Base Flaws Flawed Designs (User Can control) - Query String - Hide filed - Cookie ### LAB1: Cookie Contain Admin Attribute! Valid Credential: wiener:peter #### Enumeration & Analysis Attack Surface (Actions-Options) - SiteMap - Content Discover - Find Script - Dynamic Parameter (Attacker Surface )  #### Identify **Investigation** ``` /my-account?id=wiener ``` **Flaw Design** Cookie contain admin Attribute !!!  **Defense Mechanism ** None #### Exploit   Solved !!! ### LAB-2: User Object Allows Attribute injection Valid Credential: wiener:peter #### Enumeration & Analysis Attack Surface (Actions-Options) - SiteMap - Content Discover - Find Script - Dynamic Parameter (Attacker Surface )  #### Identify **Investigation** ``` POST /my-account/change-email ```  **Flaw Design** Roleid should not in response(JSON)  **Defense Mechanism** None #### Exploit    Solved # Misconfiguration ## URL-Base Access Control (Proxy) & HTTP Header Bypass Reference https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/special-http-headers#headers-to-change-location  Flawed Rules ``` DENY: POST, /admin/management, managers ``` Bypass If website is use framework to implement, it may support not-stander HTTP header ### Rewrite Location ``` X-Original-URL: /Limit_URL X-Rewrite-URL: /Limit_URL ``` Nginx-Proxy (CTF) ``` X-Accel-Redirect: /Limit_URL ``` e.g. POST / HTTP/1.1 X-Original-URL: /admin/deleteUser ... ### LAB-1: URL-Base Access Control / Bypass via X-Original-URL Header Valid Credential: #### Enumeration & Analysis Attack Surface (Actions-Options) - SiteMap - Content Discover - Find Script - Dynamic Parameter (Attacker Surface )    #### Identify **Investigation** **Flaw Design** Admin panel should not appear in home page !!  **Defense Mechanism ** /admin not allow directly access.  **Bypass** Request Forwarding ``` X-Original-URL X-Rewrite-URL ``` Website allow Attacker using Http header to bypass proxy routing Check!!  #### Exploit There may have occur the parameter not found issue. X-Original URL is not rewrite the path, we can append the parameter behind of X-Original URL. The solve way is that place parameter to Get Path   Solved ! ## Proxy and Framework URL-Matching Discrepancies - Flaw Required Env - Proxy (Low Tolerant) - Back-end (High Tolerant) If there have proxy in front of the website, we can leverage different request handle to bypass proxy check ### Exploit ``` Rules Deny /admin Bypass /aDmIn Rules Deny /admin Bypass /admin/ Rules Deny /admin Bypass /admin.moew ``` ## Method-Bases (Flawed & Bypass) ### Fuzzing ``` GET HEAD CONNECT TRACE OPTIONS ACL ARBITRARY BASELINE-CONTROL BCOPY BDELETE BIND BMOVE BPROPFIND BPROPPATCH CHECKIN CHECKOUT COPY DEBUG INDEX LABEL LINK LOCK MERGE MKACTIVITY MKCALENDAR MKCOL MKREDIRECTREF MKWORKSPACE MOVE NOTIFY ORDERPATCH PATCH POLL PROPFIND PROPPATCH REBIND REPORT RPC_IN_DATA RPC_OUT_DATA SEARCH SUBSCRIBE TRACK UNBIND UNCHECKOUT UNLINK UNLOCK UNSUBSCRIBE UPDATE UPDATEREDIRECTREF VERSION-CONTROL X-MS-ENUMATTS ``` ### Danger HTTP verb ``` DELETE PUT POST ``` ### Customer HTTP verb ``` GETM POSTA ... ``` ### Lab-2: Bypass Method-based Access Control Valid Credential: administrator:admin. #### Enumeration & Analysis Attack Surface (Actions-Options) - SiteMap - Content Discover - Find Script - Dynamic Parameter (Attacker Surface ) #### Identify **Investigation** ``` POST /admin-roles username=carlos&action=upgrade ``` **Flaw Design**  (Admin)  (wiener)  **Defense Mechanism ** /admin -> Not Accessible   It response Unauthorized -> **Bypass** Vertical Privilege. ``` POSTA /admin-roles?username=wiener&action=upgrade ```  #### Exploit # Horizontal Privilege Escalation ## Parameter-Base Access Control (IDOR) IDOR -> Insecure Directory Object Reference ### LAB-1 User ID controlled By Query parameter   Solved ### LAB-2: Unpredictable ID Leak ! Valid Credential: wiener:peter #### Enumeration & Analysis Attack Surface (Actions-Options) - SiteMap - Content Discover - Find Script - Dynamic Parameter (Attacker Surface )  #### Identify **Investigation** **Flaw Design**  Comment Functionality leak the User ID  **Defense Mechanism **  **Bypass**  #### Exploit Search: Target User name    Solved!! ## Lab3 : User ID controlled by request parameter with data leakage in redirect Valid Credential: wiener:peter #### Enumeration & Analysis Attack Surface (Actions-Options) - SiteMap - Content Discover - Find Script - Dynamic Parameter (Attacker Surface ) #### Identify 302 Redirect -> Leak information about carlos's API Key  #### Exploit  # Horizontal To Vertical Privilege Escalation ## IDOR ### LAB1 : User ID controlled by request parameter with password disclosure Valid Credential: wiener:peter #### Enumeration & Analysis Attack Surface (Actions-Options) - SiteMap - Content Discover - Find Script - Dynamic Parameter (Attacker Surface )  #### Identify **Investigation** **Flaw Design** Password Leak  IDOR  #### Exploit  ``` administrator:yg8fa8k6yvsdfvgpia87 ```  ### LAB-2: IDOR (Easy)   ``` carlos:mgb3yro65ln19hfn06je ```  Solved # Multi-Steps Processes - Flawed  ### LAB-1 (flow-2 not check Session valid ) in /admin-role Valid Credential: wiener:peter #### Enumeration & Analysis Attack Surface (Actions-Options) - SiteMap - Content Discover - Find Script - Dynamic Parameter (Attacker Surface ) #### Identify **Investigation** `/admin-rolse`  **Flaw Design** One Submission Flow -1 (Check - Session) ``` POST /admin-roles username=wiener&action=upgrade ``` Flow-2 (No Check - Session) ``` POST /admin-roles action=upgrade&confirmed=true&username=wiener ``` We can exploit flow-2 with our wiener session to privilege our privilege ! #### Exploit   Solved ! # Reference-Base Access Control - Flawed Some sensitive sub-page will check the reference header, if reference value from the trust original, the request will be allowed  ## LAB: Reference - Base Access Control wiener:peter ``` GET /admin-roles?username=carlos&action=upgrade Cookie: session= Referer: https://0a80005b0327b2b781d6cae9007c003a.web-security-academy.net/admin ```    ## Local-Base Access Control 一些網站根據用戶的地理位置對資源實施訪問控制 ### Bypass - Proxy - VPN - Manipulate client Location # Prevent access control vulnerabilities 通常可以通過採取深度防禦方法並應用以下原則來防止訪問控制漏洞： 切勿僅依靠混淆來進行訪問控制。 除非資源可供公開訪問，否則默認拒絕訪問。 只要有可能，就使用單一的應用程序範圍的機制來實施訪問控制。 在代碼級別，強制開發人員聲明每個資源允許的訪問權限，並默認拒絕訪問。 徹底審核和測試訪問控制，以確保它們按設計運行。