Server-Side Topics
Access control - authorize users/processes to perform actions and access resources.
Authentication - the users is who they say they are
Session management - identify the subsequent HTTP requests made by that user
Access control - the user's action is allowed or not
Broken access control are common critical security vulnerabilities:
Vertical - restrict access to application sensitive functions to specific types of users (
e.g.An admin can modify/delete any user's data/account; An ordinary user cannot)Horizontal - restrict access to resources to specific users (
e.g.Different users have access to resources of the same type)Context-dependent - restrict access to functionality and resources base upon the app's state and user's interaction with it (
e.g.A user cannot perform actions in the wrong order)
Vertical privilege escalation - a user gains access to functionalities that are not permitted to access.
e.g.
The admin page can be accessed by browsing to the relevant admin URL. In some cases the admin URL is disclosed in locations such as /robots.txt file, or by using a wordlist brute-force attack.
Obscuring sensitive features with unpredictable URLs, often termed security by obscurity is not reliable for access control. Users can still find these URLs through various means, like inadvertent disclosure in role-based JavaScript.
Access control decisions in certain applications are based on user access rights or roles determined at login, stored in user-controllable locations such as hidden fields, cookies, or preset query string parameters. These parameters can be easily modified.
Platform misconfiguration can cause broken access control, where applications restrict access to URLs and HTTP methods based on user roles.
Overriding URLs with non-standard HTTP headers such as
X-Original-URLandX-Rewrite-URL, can lead to bypassing access controls. Rule e.g. -DENY: POST, /admin/deleteUser, managersThe flexibility of HTTP methods can be exploited, such as using
GETinstead of the restricted method, to bypass platform-level access controls enforced based on URLs and methods.Websites may interpret request paths differently, potentially causing access control URL-matching discrepancies, like treating
/admin/deleteUserand/admin/deleteUser/as separate endpoints, which can be exploited to bypass controls.
Horizontal privilege escalation - a user gains access to resources belonging to another user.
e.g.
A user can access another user's account and associated data and functions, with attack similar to vertical privilege escalation.
Manipulating parameters like
idin URLs exploiting a IDOR (insecure direct object reference) vulnerability, can expose other's data.While some apps use unpredictable parameters like GUIDs to prevent guessing attacks, these unique identifiers might still be accessible through other app areas (such as user messages or reviews).
Sometimes, an app detects unauthorized access attempts and redirects users to the login page. However, the redirected response may still leak sensitive user data.
Horizontal to Vertical privilege escalation - a user gain access to more privileged user functions (admin).
e.g.
The admin page can be accessed using horizontal privesc tampering techniques from an unprivileged user and then perform vertical privesc.
Targeting the app's administrator, might disclose admin password or provide access to privileged functionalities.
đ¯ Attack
đĄī¸ Prevention
đŦ Labs
đ CheatSheet
đ HackTricks - File Inclusion/Path traversal
Path traversal (directory traversal) - read arbitrary files on a server running an application.
Read/Write arbitrary files on the server
Modify the app
Take full control of the server
e.g.
Loading an image on a HTML website with <img src="/loadImage?filename=218.png"> means the server reads the file 218.png from the /var/www/images/ directory.
đ¯ Attack
This will make the app read the
/var/www/images/../../../etc/passwdpath that means/etc/passwdwill be actually read.
Defenses like stripping or blocking directory traversal sequences, can be bypassed with:
an absolute path (direct reference to a file) from the filesystem root directory -
filename=/etc/passwdnested traversal sequences -
....//,....\/(double) URL encoding the
../characters -%2e%2e%2f,%252e%252e%252fbase folder followed by traversal sequences -
filename=/var/www/images/../../../etc/passwdextension at the end, with URL encoded null byte to terminate string -
filename=../../../etc/passwd%00.png
đĄī¸ Prevention
Avoid passing user-supplied input to filesystem APIs or
Validate user input (for permitted content/values, whitelist)
Append the input to the base directory. Canonicalize the path and verify it starts with the expected directory
đŦ Labs
đŦ Lab: File path traversal, simple case
đŦ Lab: File path traversal, traversal sequences blocked with absolute path bypass
đŦ Lab: File path traversal, traversal sequences stripped non-recursively
đŦ Lab: File path traversal, traversal sequences stripped with superfluous URL-decode
đŦ Lab: File path traversal, validation of start of path
đŦ Lab: File path traversal, validation of file extension with null byte bypass
đ CheatSheet
Last updated