Chapter 5: Attacking Web Authorization

Previous page
Table of content
Next page

Overview

We just saw in Chapter 4 how authentication determines if a user can log into a web application. Authorization determines what parts of the application the authenticated user can access, as well as what actions they can take within the application. Since the stateless HTTP protocol lacks even the most basic concept of discrete sessions for each authenticated user, web authorization is challenging to implement and consequently profitable to attack.

Note 

We will sometimes abbreviate authentication as "authn," and authorization as "authz."

Authorization is classically implemented by providing the authenticated user's session with an access token that uniquely identifies him/her to the application. The application then makes decisions about whether to grant or deny access to an internal object based on a comparison of identifiers within the token and access control list (ACL) on the object. If the provided identifiers match the configured permission on the object, access is granted; if there is no match, access is denied . The token is provided with each subsequent request, which the application parses without having to reauthenticate the user over and over again. Upon logout or session timeout, the token is typically destroyed or expires , respectively.

Note 

Often, the identifier used to distinguish unique sessions, commonly called a session ID, is thesame thing as the access token.

Note 

HTTP Basic authn takes the old-fashioned approachit replays the original Base 64encoded username:password in the HTTP Authorize header for every subsequent request in the same realm.

Clearly, access tokens provide great convenience for the user, but as always, convenience comes at a price. By guessing, replaying , or otherwise impersonating someone else's token, a malicious hacker might be able to view data or perform actions that are normally restricted to other users (so-called horizontal privilege escalation), or even administrators (vertical privilege escalation). On the server side of the authorization equation, ACLs may be misconfigured to inadvertently permit unauthorized users, or vulnerabilities may exist that permit bypass of ACLs in certain scenarios.

An important point to highlight here is the dual goals of attacking authorization: hijacking the authorization/session token used by the application and/or bypassing server-side ACLs. This chapter is organized primarily around these two aspects of authz and is divided into the following major sections:

  • Fingerprinting Authz

  • Attacking ACLs

  • Attacking Tokens

  • Authz Attack Case Studies

  • Authz Best Practices

In many ways, authorization is the heart and soul of any system of security controls, and as you may agree by the end of this chapter, no web application can survive having it excised by a skillful adversary.


Previous page
Table of content
Next page
Hacking Exposed Web Applications
HACKING EXPOSED WEB APPLICATIONS, 3rd Edition
ISBN: 0071740643
EAN: 2147483647
Year: 2006
Pages: 127
Authors: Joel Scambray, Vincent Liu, Caleb Sima
BUY ON AMAZON
Java I/O
C++ How to Program (5th Edition)
Cisco CallManager Fundamentals (2nd Edition)
Mapping Hacks: Tips & Tools for Electronic Cartography
.NET-A Complete Development Cycle
User Interfaces in C#: Windows Forms and Custom Controls
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy