DEV Community

WI$DOM
WI$DOM

Posted on

Access Control

#websecurity #serverside #vulnerabilities #accesscontrol

Let's get straight to it.. Accss Control, What does it mean?

So, let's put it this way, you saw this blog, and as you're reading it, you probably saw the typo i wrote Accss, and if you're me, you'd be thinking of editing it. Making it readable, so indirectly you want to edit my blog post 😏.

But here's the critical question: Should you be able to?

This is where Access Control fundamentally comes into play.

Access Control is the gatekeeper that determines who can access what resources, and what actions they're permitted to perform. It's not just about letting people in; it's about defining their privileges once they're inside.

In the context of web applications, access control is dependent on authentication and session management.

  • Authentication confirms that the user is who they say they are.
  • Session management identifies which subsequent HTTP requests are being made by that same user.

Have you heard of Vertical Privilege Escalation?
This is when a non-administrative user gains access to an administrative account (a user with a higher level of access), where they can delete user accounts.

Vertical Privilege Escalation

Then there's Horizontal Privilege Escalation
This is when a non-administrative user gains access to another non-administrative user's account

Horizontal Privilege Escalation

Unprotected Functionality
So privilege escalation arises when there's little to no protection to sensitive data. For instance, a user might be able to access administrative functions by browsing to
https://insecure-website.com/admin, https://insecure-website.com/admin or just using a wordlist to brute-force sub-directories that contains administrative functionalities or simply checking the JavaScript on the user interface:

<script> var isAdmin = false; if (isAdmin) { ... var adminPanelTag = document.createElement('a'); adminPanelTag.setAttribute('href', 'https://insecure-website.com/administrator-panel-yb556'); adminPanelTag.innerText = 'Admin panel'; ... } </script>

Parameter-based Access Control Methods
In a web URL https://insecure-website.com/login/home.jsp?admin=true, the parameter admin is set to true. Which means that when a non-administrative user browses to the URL, the user gains admin privileges, due to the parameter admin being set to true. This approach is insecure as the web URL can be modified to gain access.

So with that, you've got an idea on Access Control. Without robust access control, anyone spotting that typo could theoretically change it, or worse, delete the entire blog post.😏

Top comments (0)