constraints on कौन or क्या is authorized to do actions or access resources
its dependent on authentication and session management:
Types of Access Control Models: A set of access control rules
A matrix of user privileges is stored in a db or similar and access controls are applied programmatically with reference to this matrix. This can include roles or groups or individual users, collections or workflows of processes and can be highly granular.
Access to resources/functions is limited based upon users or groups of users. Owners of these resources or functions have the ability to assign or delegate access permissions to users. This model is highly granular with access rights defined to an individual resource or function and user. Consequently the model can become very complex to design and manage.
Centrally controlled system in which access to some object (a file or other resource) by a subject is constrained. Significantly, unlike DAC the users and owners of resources have no capability to delegate or modify access rights for their resources. This model is often associated with military clearance-based systems.
named roles are defined to which access privileges are assigned. Users are then assigned to single or multiple roles. provides enhanced management over other access control models and if properly designed sufficient granularity to provide manageable access control in complex applications.
RBAC is most effective when there are sufficient roles to properly invoke access controls but not so many as to make the model excessively complex and unwieldy to manage.
Types of Access Control:
Vertical Access Control - restrict access to sensitive functionality to specific types of users. . different types of users have access to different application functions. eg - admin and normal user
Horizontal Access Control - restrict access to resources to specific users. different users have access to a subset of resources of the same type. eg - bank users
Context Dependant Access Control - restricts access upon the state of the application or the user’s interaction with it. eg - ecommerce, users modifying content of cart after payment
can happen if non admin user gets admin like access [insan se bhagwan] and this arises due to
Unprotected functionality
no enforcement of protection on sensitive functionality. like admin user’s welcome page might be different than normal user. but if normal user gets admin user’s welcome page URL and if force browses to it and the URL shows sensitive data without no protection.
these kind of locations might be disclosed in files like robots.txt
security by obscurity
sensitive information hidden by giving less predictable names. stuff gets obfuscated so its not easily guessable.
Parameter-based access control methods
some applications give users the the access rights or roles at login and store this info in
Broken access control resulting from platform misconfiguration
Access Controls can be enforced at the platform layer, by restricting specific URLs and HTTP methods based on user’s role. eg : DENY: POST, /admin/deleteUser, managers - deny access to POST method on endpoint /admin/deleteUser to users managers group.
Some framework support non-standard HTTP headers, and that can be used to bypass the above restriction. eg - X-Original-URL and X-Rewrite-URL
The platform layer restrictions can be bypassed by HTTP methods too, so…
Broken access control resulting from URL-matching discrepancies
websites may treat /admin/delete and /ADMIN/DELETE as the same or two different endpoints, test the amount of tolerance it allows.
Like /admin/deleteUser.anything would still match to /admin/deleteUser or what. Prior to Spring 5.3, there was an option of useSuffixPatternMatch and it was enabled by default and it allowed of the same thing in the example in this point. Allowed for paths with an arbitrary file extension to be mapped to an equivalent endpoint with no file extension
On other systems, /admin/deleteUser and /admin/deleteUser/ are treated as distinct endpoints. In that case, bypass access controls by appending a trailing slash to the path.
user is able to gain access to resources belonging to another user [doosre ka khazana mujhe],
sometimes the user IDs might not be simple and predictable, applications use GUIDs and UUIDs to obscure the user ids
sometimes the application detects that its not the correct user and redirects to login page. In this redirect request there might be some sensitive data belonging to victim
Horizontal to vertical privilege escalation
A horizontal escalation can be turned into a vertical one, by compromising a more privileged user.
IDOR
Type of ACL issue, when objects can be directly accessed through user input and changing that value easily resulting in obtaining those results.
Access control vulnerabilities in multi-step processes
Important functions are implemented in a series of steps(multiple requests) when:
many inputs needs to be captured
user needs to review or confirm details before publishing action
sometimes websites might implement access controls over some of the steps, but not all of them. eg: out of 3 steps, on 1st and 2nd it has been applied but on 3rd. Application assumes it reaches step 3 if it has completed step 1 and 2.
Referer-based access control
The Referer header can sometimes be added to requests by browsers to indicate which page initiated a request. Eg - on adminstrative function’s subpages, application checks for Referer header to see if it contains /admin URL or it initated the request, if it does not then request not allowed.
Location-based access control
some application enforces access control based on the user’s location. eg - banking app, media services or business restrictions. this can be bypassed by simply web proxies, VPNs, or manipulation of client-side location.
How to prevent em?