When developers create web interfaces, they have to restrict which users can see various links, buttons, forms, and pages. Developers usually get this right because it is very visible. Unfortunately, making it pretty doesn’t make it secure. Developers often forget that they also have to put access controls in the business logic that actually performs business functions.
Example Missing Function Level Access Control
On my bank’s website, the clerk has a link in his navigation bar to manage the client accounts. The client can’t see that link because clients are not allowed to access this section. But the item in the menu exists in the code, it is simply hidden dynamically using a Javascript function. By analyzing the HTML code, an attacker can easily find the URL to the account management section. And as the access to this section is not controlled, thus the attacker can steal a lot of sensitive data (personal information, account data). Moreover, functions available in that account management section for clerks is not controlled either. The attacker can then transfer money to his own account. And hopefully, the attacker’s actions are not logged.
Attack Vectors Missing Function Level Access Control
Authorized user changes a URL or parameter to a privileged function.
Anonymous users could access private functions that aren’t protected.
Possible Consequences Missing Function Level Access Control
Compromised user accounts.
Compromised administrative accounts.
Unauthorized use of privileged Functionality.
Prevention Missing Function Level Access Control
Implement checks in the controller or business logic.
Don’t hard code and Audit
Deny all access by default, requiring explicit grants to specific roles for access to every function
On my bank’s website, the clerk has a link in his navigation bar to manage the client accounts. The client can’t see that link because clients are not allowed to access this section. But the item in the menu exists in the code, it is simply hidden dynamically using a Javascript function. By analyzing the HTML code, an attacker can easily find the URL to the account management section. And as the access to this section is not controlled, thus the attacker can steal a lot of sensitive data (personal information, account data). Moreover, functions available in that account management section for clerks is not controlled either. The attacker can then transfer money to his own account. And hopefully, the attacker’s actions are not logged.
Attack Vectors Missing Function Level Access Control
Authorized user changes a URL or parameter to a privileged function.
Anonymous users could access private functions that aren’t protected.
Possible Consequences Missing Function Level Access Control
Compromised user accounts.
Compromised administrative accounts.
Unauthorized use of privileged Functionality.
Prevention Missing Function Level Access Control
Implement checks in the controller or business logic.
Don’t hard code and Audit
Deny all access by default, requiring explicit grants to specific roles for access to every function
%2Bdork%2Blist%2Binfosec%2Baffairs.png)
No comments:
Post a Comment