Intro
I have been in security for several years. My work is to test an application or an infrastructure and try to break in.
If you are a developer the following is probably one of the vulnerabilities you may find in your applications. If you are elite in security and dev, then stop and close this thread.
Most developers lack of the proper knowledge of Information Security. In this post I am talking about the access control issues.
Access Controls
When one designs an application, roles and permissions may be given to users. At most of the time, i find vulnerabilities in user elevation of privileges. This is a particular type of an access control issue, where a low-priv user can escalate to an higher-privilege user. Make sure ALL of the functions are protected so low-priv users, even if they can load the UI, do not have the permissions to execute any endpoint which requires higher privileges. You may think, that this may sound too dump. But most of the applications suffer from such vulnerabilities. Moreover, such vulnerabilities can lead to account takeover!
IDORS
Another type of an access control issue is an IDOR one. Many endpoints support numerical parameters. An example is a "pageId", in a GET request. Most of the time, the endpoints have all sort of checks, like for XSS or SQL-Injections, but the developers often forget to check if the ID can be used to access information that doesn't belong to user. Due to the incremental number of ID, most of the time this kind of vulnerability is easy to exploit. Make sure the users can access to information belongs to them by properly enforcing access control rules.
Summary
A great number of developers takes such vulnerabilities as low-risk, but the reality is that such issues are of a high-risk or of critical risk. Imagine the ID to be an order ID, or the low-priv users to be able to set the password of the admin, or even become admin their-self. Such issues happen and I can confirm are happening more than often.
Thanks for reading, take care, and follow me for more tips.
Top comments (0)