Injections are a crucial vulnerability that every student of the OSCP must be aware of. We covered this vulnerability in a previous article. This category of vulns can be used by hackers in many ways, including SQL injections, command injections, and cross-site scripting.
The OWASP Top 10 is a list of the most critical web vulnerabilities that is regularly updated and ranked by information security professionals. It teaches us about injections. These are the most exploited vulnerabilities so there is a lot of overlap between the Top 10 list and the content that you will encounter when you take the OSCP course.
Injections are just one example of items that can be grouped together. It is worth your time as both a pre-OSCP course preparation and as an informed infosec professional to be familiar with all items on the list. Today we will discuss the three other vulnerabilities in the OWASP Top 10, which you will be most likely to encounter during OSCP studies: security misconfigurations, vulnerability and outdated components.
Broken Access Control
This vulnerability has moved up to the top spot in the Top 10 revision 2021, so it is a serious issue for internet security. It’s so bad, OWASP claims that nearly 4% of sites tested had broken access control.
Although it may seem low, this means that one in 25 web apps was vulnerable. Do you use 25 web apps regularly? This number could be higher. You should remember that almost everything, from email to banking to social networking to project planning to online education, is a web application these days.
Let’s look at the bigger picture and ask what broken access control is and why it is so important. Perhaps a better question is: What is access control? Consider the AAA framework and how it applies for access. The first A is authentication. This is basically a login. It can be done via single sign-on, password, or OAuth. The next A is authorization. This refers to whether the authenticated user has access to the requested resource. The access controls determine whether the authenticated user has the required read permissions to open the file.
Broken access control is when an authenticated user can access information they shouldn’t. You can view sensitive information, such as bank details or orders, or open files you shouldn’t have access to. For example, you log in to view the details of your order. The URL of the page is:
What happens if you change the URL to 124? The app will return an error if it’s not your order. You can try it with Amazon right now, for example; Amazon’s order details page URLs look very much like an orderID query string. Changing the orderID returns “There is a problem loading that order,” or, in other words, “Nice try hackerman, but no dice!”
Broken access control on a less secure website would however allow you to see the order of another person, modify or cancel it, their name and address, and if security is really bad with mywebstore.com, their credit card information. These attacks are also known horizontal access control attacks. You gain access to the stuff of another user, but not necessarily elevated permissions within the app.
Role-based attacks are another way to play with access controls. This can lead to vertical access control problems. Vertical refers to moving up in the app and increasing your permissions to a higher level.
Commonly, web apps will use role-based access control (RBAC). Users are created and assigned roles with certain permissions. These roles will include admin and user. How the app verifies authenticated user’s role