I recently came across a penetration test that taught me how to bypass the present access control and perform privilege escalation. The client’s website was very well secured and put up in terms of security but one thing that was apparent was the misconfiguration that the website had on it which allowed me to bypass the access control and later privilege escalate.
Access control is the limitation on who (or what) can perform attempted actions or access resources that they have requested. In the context of web applications, access control is dependent on authentication and session management:
- Authentication identifies the user and confirms that they are who they say they are.
- Session management identifies the requests made by the user.
- Access control determines whether the user can carry out the action that they are attempting to perform.
Broken access controls are commonly faced and are the most common security vulnerability since the control design and management of access controls must be made by humans, not technology, and the potential for errors is high. From a user perspective, access controls can be divided into the following categories:
• Vertical access controls – this is where access to resources is restricted to depending on your role in the system, different users have different access to different application function e.g., an administrator may be able to modify or delete a user while a normal user does not have access to these functionalities.
• Horizontal access controls – access to resources can specifically people For example in a banking application a user can view transaction and make payment from their own account but not the account of any other user.
• Context-dependent access controls – resources are accessed based upon the state of the application or the user’s interaction with it. for example, a retail website may not allow a user to make changes to their shopping cart after payment has been made.
The client website had a broken access control where this vulnerability happens when a user can access some resources or perform some actions that they are not supposed to be able to access. This is how the client’s website was set up.
ATTACK NARRATIVE
After spending time looking for vulnerabilities on the website and could not find any, I decided to register for an account, gaining access to the system as a regular user. Up to this point, I realized that.
- There was no password policy on the registration form. The website allowed the registration of user accounts with weak passwords. This was dangerous because a user could register for an account using guessable passwords.
- There was no email verification. The website allowed a user to register with an email account without sending confirmation codes to the email. Security-wise this means that a user could register into the system with a non-existing email account.
Going through the web site looking for other vulnerabilities I realized that on the URL at the end of it there was a digit, meaning that each user account is associated with a number example if you created an account your profile will be given a value lets say 450 meaning that you are the 450th user to be registered in the system, meaning that in the system there are users possibly starting from 1 – 449.
I tampered with the parameters of the URL by changing the value of the digit and to my surprise, I managed to view the details of another user. This is called horizontal privilege escalation. this arises when a user can access resources belonging to another user instead of their own resources for example a user might ordinarily access their own account page using a URL like the following.
https://insecure-website.com/myaccount?id=450
now, if an attacker modifies the id parameter value to that of another user, then the attacker might gain access to another user’s account page with associated data and functions and that is what happened with the client’s web application.
Below is a demonstration of the attack sequence of the client’s website.
Through this vulnerability, I was able to get the information of the administrative account and change the password to their account and log in as them
You can download the white paper to this article by clicking the download button below