Authorization is the step that comes after authentication. It is based on giving roles and privileges to the authenticated users, giving them access to certain resources. Testing for authorization means understanding how this process works and trying to bypass it.
3.5.1 Testing for Path Traversal
Many web applications provide access to files or resources, and they usually confine the files a user is able to access inside a “root directory” which represents a physical directory on the server. Web servers have mechanisms designed to control who can access certain resources and who cannot. So, for example, an external user will not be able to access resources outside the said “root directory”.
The problem here is that web applications usually have complete access to the server. So, if the web application uses a server-side script to access files that is poorly implemented, it could be an entry point for an attacker. This type of attack is known as path traversal. In order to test for this, the following two steps have to be checked.
• Input vectors enumeration
• Testing techniques
Input vectors enumeration
The first step is to find all the application parts that could be vulnerable to input validation bypassing. This parts include GET and POST queries, HTML forms and file uploads, as well as all other parts that accept content from the user.
Some examples of possibly vulnerable URLs:
http://example.com/index.php?file=content http://example.com/main.cgi?home=index.htm
There could also be cookies that are used for the dynamic generation of pages/templates.
Testing techniques
Once the input surface has been established, the input validation functions of this surface have to be analysed. So, starting from the first example URL, it can be seen that it loads the resource called content. If instead of content, an attacker would insert the
string “../../../../etc/passwd ”, the password hash file of a Unix system would be shown. Obviously, in order to perform this attack, the underlying system has to be known. It would not make any sense to request the passwd file in a Windows server. This attack could be used to display restricted files, since the application is the one requesting them. Also, this attack can be used to display the source code of the application itself, in order to gain more knowledge about it to discover new attack points. For example:
http://example.com/main.cgi?home=main.cgi
This example would display the source code of the “main.cgi” file without even using any path traversal chars.
Usually, the applications use countermeasures to avoid this kind of attacks, such as not allowing the slash character, or by checking that the string ends with a certain file type. This kind of countermeasures can be bypassed by encoding the path traversal string or by using special characters such as the null character. It also has to be taken into account that each operating system uses a different character as path separator.
3.5.2 Testing for Bypassing Authorization Schema
This test focuses on verifying the authorization schema of the application. It tries to discover if a user can access resources or fire functions that are denied to its role. The objective of this test is to find whether a user without administrative privileges can access resources or functions that are reserved to administrative users. For example, the target could have a function to create a new user. If an unauthorized user were able to use this function to create a new user, this would be a security threat, because this newly created user could be created with administrative privileges, and thus, the attacker would have complete control of the application.
Another test would be to try to access resources that are only accessible for certain roles. For example, inside a shared directory where certain files are supposedly accessible only by users with roleA, if one of these files is accessible by a user with roleB, this could also be a threat to the system.
3.5.3 Testing for Privilege Escalation
Privilege escalation is the act of modifying a user account’s privileges without the per- mission to do so. There are two types of privilege escalation, vertical and horizontal.
Vertical privilege escalation is when a user gains access to resources granted to users with more privileges than him/her. This could be used to perform administrative actions on a system without being the administrator. On the other hand, horizontal privilege es- calation is when a user performs actions that belong to a different user with similar privileges. This could be used to access another user’s bank account in an online bank- ing system.
In order to test this, the tester has to check all the portions of the application where a user can create, receive or delete information from the database. The tester has to check whether s/he can access any portion of the application as another user or not. The tester should try to find where the role of the user is specified, if it is specified somewhere besides the server. If a GET or POST request contains a parameter indicating a group or role, this could be susceptible to a privilege escalation attack.