Improper Access Control Notes
Improper Access Control
Access control involves the use of several protection mechanisms such as:
- Authentication (proving the identity of an actor)
- Authorization (ensuring that a given actor can access a resource), and
- Accountability (tracking of activities that were performed)
Different types of IAC:
- RBAC
- DAC
- MAC
- PBAC
Attacks:
- Horizontal
- based on userID
- based on objectID
- based on filename
- Vertical
- Verified/Unverified Account
- Normal User/Admin
- Authorization Framework flaws
Role-Based Access Control (RBAC)
The advantages of using this methodology are:
- Roles are assigned based on organizational structure with emphasis on the organizational security policy
- Easy to use
- Easy to administer
- Built into most frameworks
- Aligns with security principles like segregation of duties and least privileges
Problems that can be encountered while using this methodology:
- Documentation of the roles and accesses has to be maintained stringently.
- Multi-tenancy can not be implemented effectively unless there is a way to associate the roles with multi-tenancy capability requirements, e.g. OU in Active Directory
- There is a tendency for scope creep to happen, e.g. more accesses and privileges can be given than intended for. Or a user might be included in two roles if proper access reviews and subsequent revocation is not performed.
- Does not support data-based access control
The areas of caution while using RBAC are:
- Roles must be only be transferred or delegated using strict sign-offs and procedures.
- When a user changes their role to another one, the administrator must make sure that the earlier access is revoked such that at any given point of time, a user is assigned to only those roles on a need to know basis.
- Assurance for RBAC must be carried out using strict access control reviews.
Discretionary Access Control (DAC)
Discretionary Access Control (DAC) is a means of restricting access to information based on the identity of users and/or membership in certain groups.
The advantages of using this model are:
- Easy to use
- Easy to administer
- Aligns to the principle of least privileges.
- Object owner has total control over access granted
Problems that can be encountered while using this methodology:
- Documentation of the roles and accesses has to be maintained stringently.
- Multi-tenancy can not be implemented effectively unless there is a way to associate the roles with multi-tenancy capability requirements, e.g. OU in Active Directory
- There is a tendency for scope creep to happen, e.g. more accesses and privileges can be given than intended for.
The areas of caution while using DAC are:
- While granting trusts
- Assurance for DAC must be carried out using strict access control reviews.
Mandatory Access Control (MAC)
- MAC secures information by assigning sensitivity labels on information and comparing this to the level of sensitivity a user is operating at.
- for extremely secure system
Permission Based Access Control (PBAC)
The key concept in Permission Based Access Control is the abstraction of application actions into a set of permissions. A permission may be represented simply as a string-based name, for example, “READ”. Access decisions are made by checking if the current user has the permission associated with the requested application action.
Attack Scenario
- Some links can be accessed by unauthenticated user.
- Arbitrary file upload
- Sign Up as Admin by intercepting the request and modify parameter values
- IDOR: delete/modify other users' information by specifying ID
Tools
- Use Admin account to do crawling
- Use normal user account to do crawling
- Compare two results
How to prevent
- Don’t trust user input
- Verify User Identity before performing key actions
- Encrypt ID to prevent enumeration
- Verify the action in both frontend and backend sides
- Verify the permission before calling dangerous actions