Attacking Access Controls

Before starting to probe the application to detect any actual access control vulnerabilities, you should take a moment to review the results of your application mapping exercises, to understand what the application’s actual requirements are in terms of access control, and therefore where it will probably be most fruitful to focus your attention.

The easiest and most effective way to test the effectiveness of an application’s access controls is to access the application using different accounts, and determine whether resources and functionality that can be accessed legitimately by one account can be accessed illegitimately by another.

If you have only one user-level account with which to access the application (or none at all), then additional work needs to be done to test the effectiveness of access controls. In fact, to perform a fully comprehensive test, further work needs to be done in any case, because poorly protected functionality may exist that is not explicitly linked from the interface of any application user — for example, old functionality that has not yet been removed, or new functionality that has been deployed but has not yet been published to users.

Once all accessible functionality has been enumerated, it is necessary to test whether per-user segregation of access to resources is being correctly enforced. In every instance where the application grants users access to a subset of a wider range of resources of the same type (such as documents, orders, emails, and personal details), there may be opportunities for one user to gain unauthorized access to other resources.

In every instance where an application superficially appears to be enforcing access controls effectively, you should probe further to determine whether any defective assumptions have been made by developers.

In cases where static resources that the application is protecting are ultimately accessed directly via URLs to the resource files themselves, you should test whether it is possible for unauthorized users to simply request these URLs directly.

NEXT is..Securing Access Controls………..,.,.,.,.,.,.,..,