What does "failure to restrict URL access" mean?
Access to pages with administrator functions or private data is often not properly restricted. For example, it is commonly found that the only protection of these restricted pages is that a link to them is not provided to unauthorized users. However, if an unauthorized user knows or guesses the URL, then they will have full access to the page, giving them the ability to harm the system or view confidential data. Attacks on this vulnerability are usually called "forced browsing", where an attacker guesses links and uses brute force methods to find unprotected pages. According to OWASP, some of the most common flaws in web applications that allow these attacks include:
- "Hidden" or "special" URLs that are only displayed for users with the proper privlidges, but they can be accessed by any users if they know the pages exists.
- Access is often left open to "hidden" files, like static XML or system generated reports, in hope that security through obscurity will hide them.
- Code that enforces an access control policy, but it is out of date or insufficient.
- Code that determines privileges on the client side rather the server side (JavaScript).
Who is vulnerable?
Any web application is potentially vulnerable.
How can it be prevented?
Access control should be enforced on every web page. It is wrong to check a user's authorization once during the process but not on subsequent steps. This is because a hacker could just skip the step with the check. Also, you should never assume that users will not be aware of hidden URLs or APIs. Last, access should be blocked for file types that the system should never serve (i.e. pdf, php, html).
For more info, check the OWASP page on this topic.
Resources
No comments:
Post a Comment