If you are not already familiar with the concept of Privilege Escalation, we suggest that you review the article entitled “What Is Privilege Escalation ?“.
Detecting Privilege Escalation
The first step in determining whether an application contains Privilege Escalation vulnerabilities is to fully understand the different roles and permissions supported by the application. This can often be gleaned from the Requirements documentation (if available). You must clearly understand what different types of users are allowed to do, and conversely, what they are not permitted to do before you begin looking for exceptions.
A Privilege Escalation vulnerability is the failure of the application to properly enforce role/permission constraints, and the task of discovering them essentially is one of negative testing. That is, attempting to access features that should not be accessible in anticipation of failure. Successfully accessing a “forbidden” feature represents a positive Privilege Escalation finding.
User Interface as Access Control
A common design mistake is to rely on the client interface to enforce access control. That is, to provide each role with the controls appropriate to their permission level and to assume that that will be sufficient to prevent access to higher permission levels. The challenge of detection, in this case, becomes finding a way to submit requests that are not supported by the user interface. Techniques for doing so include:
- In web-applications, submitting privileged HTTP Requests from a less privileged role and observing the response. This can be done by capturing the original (privileged) request in a web-proxy, and replaying it in a less privileged session. (Of course you will need to replay the session id and authentication tokens as the case may be).
- In thick clients, issuing privileged commands from less privileged role and observing the server behavior. This can be done in a manner similar to the above with Wireshark, capturing the commands issued by the client, modifying them, and sending them to the server.
In each case, if the command or request is successful, it represents a Privilege Escalation vulnerability in the application.
For insights into avoiding and/or fixing Privilege Escalation vulnerabilities, please see the article entitled “How To Prevent Privilege Escalation“.
About Affinity IT Security
We hope you found this article to be useful. Affinity IT Security is available to help you with your security testing and train your developers and testers. In fact, we train developers and IT staff how to hack applications and networks.
Perhaps it was a network scan or website vulnerability test that brought you here. If so, you are likely researching how to find, fix, or avoid a particular vulnerability. We urge you to be proactive and ensure that key individuals in your organization understand not only this issue, but also are more broadly aware of application security.
Contact us to learn how to better protect your enterprise.
Although every effort has been made to provide the most useful and highest quality information, it is unfortunate but inevitable that some errors, omissions, and typographical mistakes will appear in these articles. Consequently, Affinity IT Security will not be responsible for any loss or damages resulting directly or indirectly from any error, misunderstanding, software defect, example, or misuse of any content herein.