1、Software Security Jorina van Malsen,Attacking Access Control,1,Outline,Access Controls Access Control Vulnerabilities Securing Access Controls Attacking Access Controls,2,Access Controls,A system which enables an authority to control access to areas and resources in a given physical facility or comp
2、uter-based information system. Access controls are a critical defense mechanism within the application because they are responsible for making the decision of whether it should permit a given request to perform its attempted action of access the resources that it is requesting.When they are defectiv
3、e, an attacker can often compromise the entire application, taking control of administrative functionality and accessing sensitive data belonging to every other user. Are among the most commonly encountered categories of web application vulnerability (ch. 1),3,Common Categories of Vulnerabilities,1.
4、 Broken Authentication Encompasses various defects within the applications login mechanism 2. Broken Access ControlsApplication fails to properly protect access to data and its functionality 3. SQL InjectionEnables an attacker to submit crafted input to interfere with the applications interaction wi
5、th back-end databases. 4. Cross-Site ScriptingEnables an attacker to target other users of the application 5. Information LeakageAn application divulges sensitive information that is of use to an attacker in developing an assault against the application, through defective error handling or other beh
6、avior,4,Vertical vs Horizontal Access Controls,Vertical Access Controls: Allow different types of users to access different parts of the applications functionality Division between ordinary users and administratorsHorizontal Access Controls: Allow users to access a certain subset of a wider range of
7、 resources of the same type Web mail application may allow you to read your email but no one elses; you can only see your own details,5,Access Control Vulnerabilities,Access controls are broken if any user is able to access functionality or resources for which he is not authorizedAmong the mot commo
8、nly encountered categories of web application vulnerabilities Two main types of attack against access controls1. Vertical privilege escalationWhen a user can perform functions that their assigned role does not permit them to do2. Horizontal privilege escalation When a user can view or modify resourc
9、es to which he is not entitled,6,Access Control Security and its Weaknesses,1. Completely Unprotected Functionality 2. Identifier-Based Functions 3. Multistage Functions 4. Static Files,7,Completely Unprotected Functionality,In many cases of broken access controls, sensitive functionality and resour
10、ces can be accessed by anyone who knows the relevant URLE.g. when https:/wahh- allows user to enter certain user interface. Weaknesses: URL can be guessed (especially by insider) Link appears in browser histories and the logs of web servers and proxy servers Users may write them down, bookmark them
11、or email them around They are not normally changed periodically, as passwords should be When users change job roles, and their access to administrative functionality needs to be withdrawn, there is no way to delete their knowledge of a particular URL.,8,Identifier-Based Functions,When a function of
12、an application is used to gain access to a specific resource, it is very common to see an identifier for the requested resource being passed to the server in a request parameter, either within the URL query string or the body of a post requestWhen the user who owns the document is logged in, a link
13、to this URL is displayed on the users My Documents page. Other users do not see this link. In order to be able to open the link/application an attacker needs to know the name of the application page and the identifier of the document he wishes to view. Weaknesses: Passwords often easy to guess Lots
14、of people write down resources identifiers or save them on their computer, so easy to find,9,Multistage Functions,Involves capturing different items of data from the user at each stage. This data is strictly checked when first submitted and then is usally passed to each subsequent stage, using hidde
15、n fields in an HTML form. Main Weaknesses: Often assumed by the developers is that any user who reaches the later stages of the process must have the relevant privileges because this was verified at the earlier stages Also often assumed is that people will access application pages in the intended se
16、quence; by taking “other path” people could avoid user identification,10,Static Files,In some cases, requests for protected resources are made directly to the static resources themselves, which are located within the web root of the server. e.g. an online publisher may allow users to browse its book
17、 catalog and purchase ebooks for download. Once the payment has been made, the user is directed to a download URL. As this is a completely static resource, it does not execute on the server, and its contents are simply returned directly by the web server. Hence, the resource itself cannot implement
18、any logic to verify that the requisting user has the privileges. When static resources are accessed in this way, it is highly likely that there are no effective access controls protecting them and that anyone who knows the URL naming scheme can exploit this to access ay resources they desire.,11,Sec
19、uring Access Controls: Pitfalls,Access controls are one of the easiest areas of web application security, though, there are several obvious pitfalls to avoid:Usually arise from ignorance about the essential requirements of effective access control or flawed assumptions about the kinds of requests th
20、at users will make and against which the application needs to defent itself Web application developers often implement access control functions on a piecemeal basis, adding code to individual pages in cases where they register that some access control is required, and often cutting and pasting the s
21、ame code between pages to implement similar requirements. Do not trust any user-submitted parameters to signify access rights (such as admin = true) Do not assume that users will access application pages in the intended sequence (make sure people will also not be able to avoid access controls by tak
22、ing a different “path”) Do not trust the user not to tamper with any data that is transmitted via the client. If some user-submitted data has been validated and is then transmitted via the client, do not rely upon the retransmitted value without revalidation.,12,Implementing Effective Access Control
23、s within Web Applications (1),Explicitly evaluate and document the access control requirements for every unit of application functionality. This needs to include both who can legitimately use the function and what resources individual users may access via the function.,13,Implementing Effective Acce
24、ss Controls within Web Applications (2),Drive all access control decisions from the users session,14,Implementing Effective Access Controls within Web Applications (3),Use a central application component to check access controlsAdvantages: Increases the clarity of access controls within the applicat
25、ion, enabling different developers to quickly understand the controls implemented by others Maintainance more efficient and reliable. Most changes will only need to be applied once, to a single shared component, and will not need to be cut and pasted to multiple locations. It improves adaptability.
26、Where new access control requirements arise, these can be easily reflected within an existing API implemented by each application page In results in fewer mistakes and omissions than if access control code is implemented piecemeal throughout the application,15,Implementing Effective Access Controls
27、within Web Applications (4),Process every single client request via this component to validate that the user making the request is permitted to access the functionality and resources being requested,16,Implementing Effective Access Controls within Web Applications (5),Use programmatic techniques to
28、ensure that there are no exceptions to the previous point. An effective approach is to mandate that every application page must implement an interface that is queried by the central access control mechanism. By forcing developers to explicitly code access control logic into every page, there can be
29、no excuse for omissions,17,Implementing Effective Access Controls within Web Applications (6),For particularly sensitive functionality, such as administrative pages, you can further restrict access by IP address to ensure that only users from a specific network range are able to access the functiona
30、lity, regardless of their login status.,18,Implementing Effective Access Controls within Web Applications (7),If static content needs to be protected, there are two methods of providing access control:Static files can be accessed indirectly by passing a file name to a dynamic server-side page which
31、implements relevant access control logic Direct access to static files can be controlled using HTTP authentication or other features of the application server to wrap the incoming request and check the permissions for the resource before granting access.,19,Implementing Effective Access Controls wit
32、hin Web Applications (8),Identifiers specifying which resource a user wishes to access are vulnerable to tampering whenever they are transmitted via the client. The server should trust only the integrity of server-side data. Any time these identifiers are transmitted via the client, they need to be
33、revalidated to ensure the user is authorized to access the requested resource,20,Implementing Effective Access Controls within Web Applications (9),For security-critical application functions such as the creation of a new bill payee in a banking application, consider implementing per-transaction rea
34、uthentication and dual authorization to provide additional assurance that the function is not being used by an unauthorized party. This will also mitigate the consequences of other possible attacks, such as session hijacking,21,Implementing Effective Access Controls within Web Applications (10),Log
35、every event where sensitive data is accessed or a sensitive action is performed. These logs will enable potential access control breaches to be detected and investigated,22,A Multi-Layered Privilege Model,23,Issues relating to access apply not only to the web application itself but also to the other
36、 infrastructure ties which lie beneath itIn this case, these access controls could be a good alternative: Programmatic Control Discretinary Access Control (DAC) Role-Based Access Control (RBAC) Declarative Control,Programmatic Control,24,The matrix of individual database privileges is stored in a ta
37、ble within the database, and applied programmatically to enforce access control decisions.The classification of user roles provides a shortcut for applying certain access control checks, and this is also applied programmaticallyAdvantages: - It can be extremely fine-grained- It can build in arbitrar
38、ily complex logic into the process of carrying out access control decisions within the application,Discretionary Access Control (DAC),25,Various appication users have privileges to create user accountsClosed DAC ModelAccess denied unless explicitly grantedOpen DAC ModelAccess is permitted uless expl
39、icitly with-drawn,Role-Based Access Control (RBAC),26,Named roles which contain different sets of specific privileges. Each user is assigned to one of these roles.Enables many unauthorized requests to be quickly rejected with a minimum amount of processing being performedNumber of roles should be ba
40、lancedToo many roles Difficult to manage accuratelyToo few roles Resulting roles will be assigned privileges that are not strictly necessary for performance of their function,Declarative Control,27,Uses restricted database accounts when accessing the databaseEmploys different accounts for different
41、groups of users with each account having the least level of privilege necessary for carrying out the actions which that groupis permitted to performAdvantage: Even if a user finds a means of breaching the access controls implemented within theapplication tier, so as to perform a sensitive action suc
42、h as adding a new user, they will be prevented from doing so because the database account that they are using does not have the required privileges within the database,Attacking Access Controls,28,Finding a break in access controls is almost trivialRequest a common administrative URL and gain direct
43、 access to the functionality. In other cases, it may be very hard, and subtle defects may lurk deep within application logic, particularly in complex, high-security applications. The most important lesson when attacking access controls is to look everywhere. If you are struggling to make progress, be patient and test every single step of every application function. A bug that allows you to own the entire application may be just around the corner.,
