T 5.172 Bypassing the authorisation in web applications

If a user has properly logged in to a web application, the user must not necessarily be granted access to all functions of the web application (depending on the role he/she was assigned). Therefore, the web application must verify for individual functions whether the logged in user is authorised for execution (authorisation) upon successful authentication of the user.

Within the framework of attacks against the authorisation component of a web application, the aim is to access functions or data actually only available to a limited group of users. If the access authorisation is implemented improperly by the web application, an attacker may expand his/her authorisations and gain access to protected areas and data of the web application. This is normally performed by targeted manipulated input of the attacker.

For example, possible aims of an attack include configuration files with fixedly coded access data for background systems, protected areas, or functions of the web application.

Below, possible weaknesses regarding the authorisation of accesses to web resources are listed.

Examples:

• The so-called Null byte (%00 in the URL code) is interpreted differently by the filter component of the web application and the background systems. This way, the filter component of the web application accepts the character string malware.exe%00.jpg as file name with the permissible file extension .jpg for images. On the contrary, the operating system rejects a file with the file name malware.exe, because it considers the Null byte, as well as the following characters as not belonging to the file name. This way, restrictions to certain file types can be bypassed by attackers in order to install malware on the web application, for example.

• When entering path information, a relative reference (with the help of so-called Path Traversal) can be used to retrieve resources not designed for being accessed using the web application (e. g. ../../../config.xml). This may allow for downloading or overwriting files worthy of protection, e.g. configuration files, from the file system in an unauthorised manner. Relative path information cannot only be used in order to access files of the web application, but also to retrieve resources of the underlying IT system.

• Web applications frequently use object references for addressing a resource in a background system (e.g. http://host.tld/get.php?id=2). This way, resources such as content for displaying a website can be assigned to a database entry. If object references are not taken into consideration by the authorisation component, it may be possible to access trustworthy resources by manipulating the reference id in the URL.

• An option for protecting information of a web application used sometimes consists in only displaying the URL linking this information to authorised users. Unauthorised users do not know the URL. With the help of systematic trial and error, an attacker may attempt to guess the URL and to gain access to protected information and/or functions of the web application this way. This attack is called "Forced Browsing".