I. Opening
1. Article summary
In this article, I want to introduce to you about Access control vulnerability . Together we will learn about the concepts of access, access control. Analyze and practice vulnerabilities around user access issues. Finally, we will also discuss some information, prevention measures, user and system protection against access control vulnerabilities.
2. Introduction to the concept of access, access control.
For each user in an application / system always holds a certain role. For example: administrator, normal user, guest, … For each role will have different level of access to system features. Consider an example in the series of articles about Authentication vulnerability : Hoa is a manager at X milk tea shop, in the shop there is a dedicated computer for processing orders, delivery, … Ngoc is a salesman at X milk tea shop managed by Hoa. At that time, the computer system needs to clearly decentralize: Hoa will have the role of administrator , and Ngoc will have the role of staff . Thus, Ngoc will only have the right to work with the orders of the customer, but not the right to see the daily revenue of the shop – a feature that can only be accessed and used by the administrator . If somehow Ngoc illegally accesses features that are not in her jurisdiction, we can say that Ngoc is performing a broken access control attack.
(Source: https://portswigger.net/web-security/access-control )
3. Several models of secure access control.
In the process of implementing an access control system, the administrator needs to have an overview of the system, the actual problem, and follow the access control models. Each model has its own advantages and disadvantages, depending on each specific case, it will be necessary to use an appropriate access control model for them to work best.
3.1. Discretionary access control (DAC)
Discretionary access control (DAC) is a type of security access control model that allows granting or restricting object access through an access policy defined by the object’s owner or subject group. In other words, the owner defines the object access privileges.
The DAC model is relatively flexible in decentralization, the owner of the object in access control can transfer all the permissions they use, so it has good flexibility and many applications can used in many systems. However, DAC also has some disadvantages as follows:
- Because it can be delegated, resource management will be distributed, and at the same time increase the risk to the system.
- It cannot guarantee overall security.
- Access control is easily transferred, and at the same time, when the number of subjects and objects is large, it will bring a large cost to the system, leading to low efficiency and not being able to adapt well to large scale, scale network environment.
3.2. Mandatory access control (MAC)
Mandatory Access Control (MAC) was proposed in the 70s of the 18th century and was first used and verified on the Multics model. Compared to the discretionary access control introduced above, MAC rules and policies are stricter.
The basic idea of MAC model design is: in an access control system, subject and object are assigned certain security attributes, then the system evaluates and compares the attribute relationship between two subjects to determine if access is allowed. It can be said that MAC is a representative of the multi-level model.
MAC is mandatory and cannot be changed one way. The MAC model stipulates that high-level objects can get information from low-level objects, but the reverse is not possible. Specifically, if subject A’s rank is higher than object B’s, subject A can read information and resources in object B; if subject A’s rank is lower than object B’s, subject A can only perform some operations to write information and resources in object B; if the rank of subject A and object B are equal, then a read and write operation between subject A and object B cannot be performed.
Notably, unlike DAC, in the MAC model users and resource owners do not have the ability to authorize or modify access rights for their resources. Thus, MAC ensures the security of system information.
3.3. Role-based access control (RBAC)
Role-based access control (RBAC) was proposed in the 1990s. The RBAC model is considered an effective access control information technology and is evaluated better than other models.
In RBAC, subject and object are not directly connected, they are assigned one or more roles. First, the permissions of the access operation are matched to a number of roles, then these specific roles are assigned to the respective subjects. In this way the subject has access to the object.
RBAC offers enhanced manageability compared to other access control models and, if properly designed, granular enough to provide access control, it can be used for management in applications. complex. An object can carry multiple roles and a role can carry multiple permissions.
For example:
- User Nguyen Van A has admin rights, user rights.
- User Nguyen Van B has user rights.
- Admin has the right to read, add, edit and delete posts.
- User only has permission to read posts.
RBAC is most effective when there are enough roles to invoke the access controls properly, but it doesn’t need so many roles that make the model complex and difficult to manage.
II. Common types of access control vulnerabilities
1. When does an access control vulnerability appear?
When the programmer does not implement the correct restriction of the user’s permission limits, or when the system authenticates the user’s rights based on some parameters that can be changed by the user, a control vulnerability can appear. access.
2. Some form of access control
Before we get into the analysis and exploitation of access control vulnerabilities, we need to understand some types of access control. Corresponding to each type of access control, we will also analyze the vulnerabilities around each of them. They are usually divided into the following types:
2.1. Vertical access controls – Vertical access control
Vertical access control is a mechanism that restricts access to sensitive functionality that is unavailable.
With vertical access controls, different users have access to different functions and applications. For example, an administrator can modify or delete any user’s account, while normal users do not have the right to access and use these functions. Vertical access control could be a more granular implementation of security models designed to enforce business policies such as separation of duties and least privileges.
2.2. Horizontal access controls – Horizontal access control
Horizontal access control is a mechanism for restricting access to resources to users who are specifically authorized to access those resources.
With horizontal access control, different users have access to a subset of resources of the same type. For example, a banking application would allow users to view transactions and make payments from their own account, not any other user’s account.
2.3. Context-dependent access controls – Context-dependent access controls
Context-dependent access control restricts access to functionality and resources based on the state of the application or user interaction with it.
Context-dependent access control prevents users from taking actions out of order. For example, a retail website would prevent users from modifying the contents of their shopping cart after they have paid.