Practical Web Application Security Testing - Secure Java: For Web Application Development

Java Reference

In-Depth Information

http://www.vulnerable-app.com/index.jsp?item=../../../../../../etc/passwd

http://www.vulnerable-app.com/index.jsp?item=../../../../../../boot.ini

12.2.2.8 Testing for Client-Side Authorization Vulnerabilities

Role-based access control (RBAC) for Web applications is ideally performed by authorizing users

of the application to have access to certain sections of the application. Lower-privilege users have

access to certain pages and can perform certain actions and higher-privilege users have access to

certain other pages and privileged actions in the same Web application. If the authorization is not

driven from the server, where the server enforces authorization rules for subjects (users) to objects

(pages and actions) in the Web application, then an attacker can easily compromise the application

by means of privilege escalation. Several Web applications today rely excessively on JavaScript,

and authorization control is no diferent. Web applications rely on JavaScript to provide access to

users to pages and actions of the application. he JavaScript code authorizing users to Web pages

is as follows:

function Menu()

{

var UserRole=document.getElementById('userRole').value;

switch(UserRole)

{

case 'elevatedPrivUser':

document.getElementById('thisScreen').style.display='none';

break;

case 'lowerPrivUser':

document.getElementById('someOtherScreen').style.display='none';

break;

case 'evenLowerPrivUser':

document.getElementById('yetAnotherScreen').style.display='none';

break;

}

As we can see from the above code snippet, the menu is generated for each user based on the

JavaScript, and the number of pages visible to the user is based on the user privilege. All that the

tester has to do to access all pages and perform all actions as a higher-privilege user of the Web

application, in the above case, is to disable JavaScript in his/her browser.

Alternatively, the tester can also use browser add-ons like NoScript for Mozilla Firefox, which

disables JavaScript for certain pages and perform actions that may be done by higher-privilege

users. More information about a similar attack may be found on Abhay Bhargav's blog. *

12.2.2.9 Testing for Flawed Business Logic

Implementation for Authorization

Business logic implementation for authorization is an intricate and very important aspect of

Web application security. Business logic implementation for authorization is not easy to assess

* he attack may be found at http://citadelnotes.blogspot.com/2009/05/overreliance-on-javascript-pen-testers.

html.

Search WWH ::

Custom Search

Home