Lab - Access Control

Authors: Alfredo Matos

Introduction

Access control is a core concept in information security, controlling access and usage of system resources. It is critical for protecting data, maintaining privacy, and ensuring only authorized subjects can perform actions within a system. When discussing access control we are usually considering authentication and authorization. Authentication verifies the user identity - is the the user who he says he is? - (using passwords, biometrics, etc), while authorization determines the level of access a user has to specific resources - is the user allowed to do this? - (using roles, permissions, etc).

Poor practices can lead to vulnerabilities such as broken access control, which is one of the top security risks in web applications today, according to the OWASP Top Ten. Specifically, broken access control occurs when users can bypass restrictions due to inadequate permissions or role management. Implementing robust access control measures is essential to protect information assets and maintain a secure environment for users and organizations.

In this lab we will be exploring access control vulnerabilities in an insecure web application.

OWASP JUICE SHOP

OWASP Juice Shop is an open-source web application designed for learning web security, including several OWASP Top 10 vulnerabilities. It features a category named Broken Access Control, which contains several vulnerabilities due to improper access restrictions. These vulnerabilities allow unauthorized access to sensitive information, making Juice Shop ideal for experimenting with access control.

You will explore and exploit the access control vulnerabilities present in Juice Shop, understand their impact, and learn best practices to prevent them. The built-in score board feature helps track progress through each exercise.

Setup

Docker Setup

Juice Shop can be run as a Docker container. If Docker is not installed on your system, please do so before proceeding.

Run the following commands to download and start Juice Shop:

   docker pull bkimminich/juice-shop
   docker run -d -p 3000:3000 -e "NODE_ENV=unsafe" bkimminich/juice-shop

Notice the use of NODE_ENV=unsafe. This environmental variable will enable potentially unsafe challenges. This will not be an issue for you as you are using a Virtual Machine, and the instance will not be public. Do not use this settings in a public instance of Juice Shop.

Juice Shop Access

After starting the Docker container, Juice Shop should be accessible at http://localhost:3000. Verify that the application is running by visiting this URL in a browser. You should see the Juice Shop home page.

Exercises

Visit the Juice Shop, create a couple of users, and get comfortable. What is the app? What does it do? Once you are ready, let’s get to the exercises.

Warmup (easy)

Let’s get our hacking skills flowing. Run a couple of prerequisite challenges to set up our access control feats.

Exercise 1: Find the Scoreboard

Goal: Access the scoreboard without logging in.

There is a hidden scoreboard in the application that allows us to check the challenges and work our way through Juice Shop. Can you find it?

  1. Find the Scoreboard section hidden in the app.
  2. Is it subjected to access control?

Hints: Find out how the application handles different sections and URLs. Where could the score-board be?

Exercise 2: Becoming Admin

Goal: Gain administrative access to the application.

This exercise is a two-for-one special. You will become an admin and discover the admin section.

  1. Navigate to the login page.
  2. Identify and exploit a vulnerability to log in as an admin.
  3. Once logged in, locate the administration area.

Hints: Recall the simple SQL Injection (SQLi) techniques from class #1. Use the developer console to inspect loaded files (main.js) if needed.

Escalation (medium)

Privilege escalation is a process where an attacker gains elevated access to resources that are normally protected from an application or user. This can occur in two forms: vertical and horizontal. Vertical privilege escalation involves gaining higher privileges, such as administrative rights, while horizontal privilege escalation involves accessing resources or functions meant for other users with similar privileges. Understanding and preventing privilege escalation is crucial for maintaining the security and integrity of a system.

Exercise 3: Eliminate feedback

Goal: Destroy poorly controlled information

The task is to eliminate a 5 star review. You’re already an admin, you manage things.

  1. Find out where you can perform admin utils
  2. Can you delete a review?
  3. What type of escalation is this?

Hints: Navigation is working fine as you are an admin. Get to the management area.

Exercise 4: View the basket of another user

Goal: Access another user’s information

  1. Check how the baskets are loaded and identified
  2. Create a second user (and a second basket)
  3. Back to the original user, try to load the other user’s basket
  4. What type of escalation is this?

Hints: Be prepared to inspect traffic and URLs using the developer tools in the console. You can use the dev console to perform requests (fetch), with:

fetch('url', 
   { headers: { 
         Authorization: `Bearer ${token}`
         } 
   }).then(response => response.json()).then(r => console.log(r.data))

Impersonation (hard)

Impersonation attacks occur when an attacker successfully takes on the identity of another user, either by changing his identity, or performing requests on another user’s behalf. This typically occurs due to poor access control mechanisms, and can lead to unauthorized actions being performed by a (potentially malicious) legitimate user, leading to significant problems.

If an application does not properly validate and enforce user tokens or sessions, an attacker might perform valid queries on unauthorized. Understanding and mitigating these vulnerabilities is crucial to maintaining the integrity and security of user identities within a system.

Exercise 5: Add items to a cart

Goal: Impersonate another user by adding items to another cart

Now that you can see the cart, can you add items to it?

  1. Check how items are added
  2. Can you replicate the requests? Remember the fetch command.

Exercise 6: Forge a review

Goal: Impersonate another user by adding a review

Now that you are comfortable handling requests and objects. Can you fake a review?

  1. Check how reviews are added
  2. Can you replicate the requests and add a review with another user id?

Next Steps

You’ve practiced identifying and exploiting Broken Access Control vulnerabilities in Juice Shop. By understanding these vulnerabilities and how attackers exploit them, you can take proactive steps to prevent such issues in real-world applications.

For further practice, continue exploring Juice Shop challenges directly from the scoreboard and review OWASP guidelines for implementing robust access control measures.

Solutions

Solutions for Juice Shop are available at: https://github.com/refabr1k/owasp-juiceshop-solutions/tree/master

Previous
Next

Last updated on 14 Nov 2024