The Contents of the Room:

• Task 1: Introduction

• Task 2: Broken Access Control Introduction

• Task 3: Deploy the Machine

• Task 4: Assessing the Web Application

• Task 5: Exploiting the Web Application

• Task 6: Mitigation

• Task 7: Conclusion

Task 1: Introduction

Broken Access Control is a significant security vulnerability where applications or systems fail to properly restrict access to sensitive data or functions, allowing unauthorized access. Students will learn to understand the concept, identify these vulnerabilities in web applications, experiment with them safely, and implement measures to prevent them. Prerequisites include knowledge of JSON, web apps, HTTP, scripting languages like PHP and JavaScript, familiarity with web security standards like OWASP Top 10, and basic use of proxy tools like Burp Suite.

Click me to proceed onto the next task.

Answer: No answer needed

Task 2: Broken Access Control Introduction

In the ever-evolving landscape of cybersecurity, safeguarding sensitive data and controlling access to critical resources is paramount. Access control is the linchpin of security systems, dictating who can access what and under what circumstances. However, even robust access control mechanisms can fall prey to vulnerabilities, with broken access control being a notorious culprit. In this blog, we’ll delve into the world of access control, explore its various forms, and learn how to mitigate the risks posed by broken access control.

Access Control: The Sentry of Digital Fortresses

Access control is the gatekeeper of the digital realm, ensuring that only authorized users or systems can access specific resources or functionalities. Its primary mission is to protect sensitive data from falling into the wrong hands. Let’s explore some common types of access control mechanisms:

1. Discretionary Access Control (DAC): In DAC, resource owners or administrators determine who can access a resource and what actions they can perform. It’s like a castle where the king bestows keys upon advisors, granting them access to specific doors.

2. Mandatory Access Control (MAC): MAC enforces access based on predefined rules or policies set by the system. Imagine a fortress where only individuals with specific security clearances can access certain areas, with no exceptions allowed.

3. Role-Based Access Control (RBAC): In RBAC, users are assigned roles defining their level of access. Think of a modern corporation with managers, executives, and sales staff, each having different access privileges.

4. Attribute-Based Access Control (ABAC): ABAC grants access based on attributes like user role, time of day, location, or device. It’s akin to a futuristic security system scanning individuals for specific attributes before granting access.

Mitigating the Broken Access Control Menace

While access control mechanisms serve as the guardians of security, they aren’t immune to vulnerabilities. Broken access control occurs when these mechanisms fail to enforce restrictions correctly, leading to unauthorized access. Let’s explore common broken access control vulnerabilities and how to thwart them:

1. Horizontal Privilege Escalation: Attackers gain access to other users’ resources with the same access level. For instance, they might manipulate the URL to access another user’s account. Mitigation involves stringent session management and careful validation of user inputs.

2. Vertical Privilege Escalation: Attackers ascend to higher privilege levels, such as gaining administrative access. Guard against this by verifying user roles and permissions at each step of an action.

3. Insufficient Access Control Checks: When checks are flawed or inconsistent, attackers can bypass them. Ensure access controls are consistently applied throughout the application and conduct thorough security testing.

4. Insecure Direct Object References (IDOR): Attackers exploit weaknesses in access control mechanisms to access unauthorized resources or data. Mitigate IDOR by using unpredictable identifiers for sensitive data and validating user requests.

In conclusion, access control is the cornerstone of cybersecurity, protecting valuable resources from unauthorized access. However, vulnerabilities like broken access control can undermine these defenses. By understanding the various access control mechanisms and diligently implementing security best practices, we can fortify our digital fortresses and keep sensitive data safe from prying eyes. Regular reviews and testing are crucial to ensure that access control remains robust in the face of evolving threats.

What is IDOR?

Answer: Insecure Direct Object References

What occurs when an attacker can access resources or data belonging to other users with the same level of access?

Answer: Horizontal privilege escalation

What occurs when an attacker can access resources or data from users with higher access levels?

Answer: Vertical privilege escalation

What is ABAC?

Answer: Attribute-Based Access Control

What is RBAC?

Answer: Role-Based Access Control

Task 3: Deploy the Machine

Once the machine is generated, you’ll receive its IP address. You have the option to either use TryHackMe’s AttackBox or your own VM connected to TryHackMe’s VPN for the attack.

If you choose to use the AttackBox, you can simply click the “Start AttackBox” button above the room name. After starting the AttackBox or connecting your own VM to TryHackMe’s VPN, you can access the target website application by entering the provided IP address (http://10.10.236.180/) into your browser.

I have deployed the machine attached to the task.

Answer: No answer needed

Task 4: Assessing the Web Application

The web application in focus includes Registration, Login, and Dashboard pages. To analyze potential vulnerabilities, a penetration tester would typically register an account and then examine the login function for access control issues.

HTTP traffic is captured using tools like Burp Suite. The application lacks security headers, indicating a lack of protective measures. It runs on a Linux (Debian) server with Apache/2.4.38 and PHP/8.0.19. The login response includes parameters, suggesting potential privilege escalation vulnerabilities for testing.

What is the type of server that is hosting the web application? This can be found in the response of the request in Burp Suite.

Answer: apache

What is the name of the parameter in the JSON response from the login request that contains a redirect link?

Answer: redirect_link

What Burp Suite module allows us to capture requests and responses between ourselves and our target?

Answer: proxy

What is the admin’s email that can be found in the online users’ table?

Answer: [email protected]

Task 5: Exploiting the Web Application

• Upon login, functions.php returns a JSON response with a redirect_link parameter.
• Intercept the HTTP response and change the redirect_link value from “false” to “true” or vice versa in the address bar.
• This modification redirects you to admin.php, a hidden page for normal users.
• You can then explore potential vertical privilege escalation by modifying the “Admin access” column for your registered account.
• Clicking the “Save Changes” button grants admin privileges, allowing you to potentially revoke access from other admin users.

 

What kind of privilege escalation happened after accessing admin.php?

Answer: vertical

What parameter allows the attacker to access the admin page?

Answer: isadmin

What is the flag in the admin page?

Answer: THM{I_C4n_3xpl01t_B4c}

Task 6: Mitigation

There are several steps that can be taken to mitigate the risk of broken access control vulnerabilities in PHP applications:

• Implement Role-Based Access Control (RBAC): Role-based access control (RBAC) is a method of regulating access to computer or network resources based on the roles of individual users within an enterprise. By defining roles in an organization and assigning access rights to these roles, you can control what actions a user can perform on a system. The provided code snippet illustrates how you can define roles (such as ‘admin’, ‘editor’, or ‘user’) and the permissions associated with them. The hasPermission function checks if a user of a certain role has specified permission.
• Use Parameterized Queries: Parameterized queries are a way to protect PHP applications from SQL Injection attacks, where malicious users could potentially gain unauthorized access to your database. By using placeholders instead of directly including user input into the SQL query, you can significantly reduce the risk of SQL Injection attacks. The provided example demonstrates how a query can be made secure using prepared statements, which separate SQL syntax from data and handle user input safely.
• Proper Session Management: Proper session management ensures that authenticated users have timely and appropriate access to resources, thereby reducing the risk of unauthorized access to sensitive information. Session management includes using secure cookies, setting session timeouts, and limiting the number of active sessions a user can have. The code snippet shows how to initialize a session, set session variables, and check for session validity by looking at the last activity time.
• Use Secure Coding Practices: Secure coding practices involve methods to prevent the introduction of security vulnerabilities. Developers should sanitize and validate user input to prevent malicious data from causing harm and avoid using insecure functions or libraries. The given example shows how to sanitize user input using PHP’s filter_input function and demonstrates how to securely hash a password using password_hash instead of an insecure function like md5.

Click me to proceed to the next task.

Answer: No answer needed

Task 7: Conclusion

Broken access control is a serious security flaw where systems fail to enforce proper access controls, allowing unauthorized users to access sensitive data or perform unauthorized actions.

• Horizontal Privilege Escalation: Unauthorized access within the same privilege level.
• Vertical Privilege Escalation: Unauthorized access to higher privilege levels, potentially leading to system compromise.

The impact can range from data breaches to system control. Mitigation references for PHP developers:

• OWASP PHP Configuration Cheat Sheet
• PHP The Right Way: Security
• Secure Coding in PHP

These resources help implement strong access controls and maintain system security.

Click me to finish this room.

Answer: No answer needed

And… that’s it! Thanks for reading my writeup!