Indispensable Knowledge: Top 10 Network Vulnerabilities — Ineffective Access Control
CCIE Dumps CCIE Dumps CCIE Dumps CCIE Dumps CCIE Dumps CCIE Dumps CCIE Dumps
From now on, the knowledge corner of network engineers will update the latest TOP10 security science provided by owasp. If you like this, please hoard us. Today’s topic is A1 permission control failure.
Before the update, the position of A1 used to be an injection attack — known as SQL injection. However, with the development of security technology, security-conscious manufacturers will materialize the code to avoid such vulnerability, and the updated Top10 also covers it in a broader sense. And we call it Broken Access Control
In contrast to the past, the failure of permission control is more like what we call overreach, in which an attacker uses various means to increase his or her authority. After passing access control, it will impersonate administrator or other user to add, delete, change and check the target computer system. The operation process can be divided into vertical overreach and horizontal overreach. Vertical overreach means that an attacker increases the rights of a common user to that of an administrator to perform unauthorized operations on the system. Horizontal overreach means that an attacker horizontally obtains user B’s permission to perform unauthorized operations when it has user A’s permission.
Common vulnerability utilization of permission control failure are as follows:
1. Violate the principle of minimum permission: change the access permission that should only be restricted to specific functional roles or users to anyone
2.Bypass access control checks by modifying urls, application state, HTML pages, or using custom API attack tools
3. View or edit other people’s accounts by directly referencing their unique identifiers
4. The site lacks control over post、put、delete when accessing the API
5, the right to act as a user in the case of not logged in, or as an administrator when logged in as a user
6. The misconfiguration of CORS allows untrusted sources to access the API
7. Unauthenticated users browse authenticated pages or view privileged pages as standard users
8. Metadata manipulation, such as playback or tampering with JSON Web Token (JWT) access control tokens, or abuse of JWT, COKKIE, hidden fields to implement rights raising
The common defense means are as follows:
1. Default rejection except for public resources
2. Minimize the use of cross-domain resource sharing, implement access control, and use it multiple times in the application
3, access control module should be forced to record ownership
4. Domain modules should enforce application business restriction requirements
5. Disable the Web server directory and do not save metadata and backup files in the Web root directory
6. Record the failed access control and send an alarm to the administrator
7. Limit the API access rate to minimize the harm of automated attack tools
8. Stateful session identifiers should be invalid after logout, stateless JWT should be used briefly to minimize the attack window, and for long-term JWT, it is recommended to revoke its permission according to OAuth standard.
Indispensable Knowledge: Top 10 Network Vulnerabilities — Ineffective Access Control
CCIE Dumps CCIE Dumps CCIE Dumps CCIE Dumps CCIE Dumps CCIE Dumps CCIE Dumps
