Web Security Risk: Missing Function Level Access Controls

Missing Function Control Access control happens when the correct authentication prosses are not done for some parts of the web application or web server because the people creating the web service might think of putting in access controls at every level. This creates vulnerabilities that can be exploited by people to access parts of the web service, web servers and databases without the need for proper authentication allowing people to access admin parts of the web server. (tutorialspoint, 2018). Often the web page has authentication but the functions and rescores behind it don’t have authentication allowing hackers to access it (s, 2016) .

Missing Function Level Access Control vulnerabilities are easy to exploit if they exist in the web application, server or service. (OWASP, 2013) Attacks exploiting the lack of level access control will  look for UI that exposes untheorized parts of the web application which can make it easier for hackers to target those parts because they know about them. Now that the hacker knows about the untheorized parts they can use many techniques (Hdiv, n. d.).

One of these techniques is involves accessing parts of the web service by simply typing in the url into the browser to see if admin pages exist and if the page has no authentication the hacker can then gain access the admin parts of the web application. Another method a hacker may use to exploit a lack of Level Access Controls is the use of a method called a “Horizontal Access Attack” where the hacker will log in as one user then change the userID=oneUser in the url to that where userID=anotherUser.

Without the use of proper function level access control, a hacker will now have access to that user’s information and level of access in that web application (Hdiv, n. d.).

 Continuing the list of exploiting Level Access Control vulnerabilities using urls is when the hacker types in a url to a privileged function to gain access to it. If there is no proper authorization process involved the hacker can now access that privileged function (OWASP, 2013).

An attack using the exploiting of level access control vulnerabilities requires the hacker to have access to the network or web service (OWASP, 2013). This means that if these there are level access control vulnerabilities a hacker can exploit it at any time the network is connected, or the web service is online.

The damage that a hacker can cause by exploiting these level access control vulnerabilities can vary based on what can be accessed, from useless information (best case scenario ) to a takeover of the web service ( one of the many worse case scenarios ) (Sarud, 2016) and wherever or not information about the vulnerabilities or attacks becomes public were the web services’ owner reputation will be damaged (tutorialspoint, 2018). Depending on what the hacker’s motives are can also determine the amount of damage caused but the damage is usually based on what the admin users can access and do. (tutorialspoint, 2018)

There are many steps to defend against vulnerabilities caused by missing function level access control. The first step is to make it so that all access is denied by default and have it so that the web application must make sure that the admin parts and privileged functions are being accessed from a user with the privileges to access them (Hamit, 2014).

Another step to help defend against function level access vulnerabilities is to check for them using the same tactics the hackers use to exploit them by using forced browsing (directly typing in the urls for the admins and privileged functions) and horizontal Access Attack. This is make most of the vulnerabilities known which will allow the vulnerabilities to be patched up (Sarud, 2016) .

Continuing the list of needed steps to help minimize the vulnerabilities caused by Missing Function Level Access Control is to analyse the code looking for patterns to gain an in depth understanding of how the authorization is handled in the code. When patterns around the code is understood and easy to spot. The security checkers should read the code looking for where access to admin users and privileged functions that don’t have that authorization code (Sarud, 2016).

An important step is to make sure the code is malleable enough to handle the necessary changes when the code needs to be updated when holes in the authentication processes are found or missing. (OWASP, 2013)

The use of “fail-safe authentication” to log the user out if an error or an exception occurs or is thrown in the authentication process to prevent the user from accessing admin privileges and privileged functions and information (Guazzelli, 2016).

A useful step in avoiding client-side authentication tokens and if they must be used, they need to be well encrypted so that the user cannot access the authentication process and manipulate it. Authentication tokens must be authenticated and not just accepted as well as ensuring that these tokens cannot be seen or accessed by the user themselves (Guazzelli, 2016).

In conclusion, Missing Function Level Access Control vulnerabilities are gaps in the authentication processes of web applications, web services and web servers which allow hackers enter parts of the web service which they are not authorized to use to steal sensitive information for themselves. This results in data being stolen and damages the reputation of the web services’ owner. Hackers exploit missing function level access vulnerabilities by typing in the url of admin, privileged functions or user ids. Useful steps in dealing with missing function access control vulnerabilities are first checking for them by typing in the url of the privileged functions as a visitor and as users who are not authorized to access those functions and see if they can be accessed. Then looking at the code for authentication functions and making sure that those authentication methods are used for all parts that need authentication functions. Then deny access by default and only let users who are authorized to access the parts they need to access and block everything else. After that ensure that client-side authentication tokens are if possible and encrypted , ensure that the user is logged out if an error occurs and finally, make sure that the code is malleable enough to be effectively updated when a Missing Function Level Access Control vulnerability is discovered. This will help to minimize the likelihood of a hacker exploiting Missing Function Level Access Control vulnerabilities.

References

Guazzelli, L. (2016, November 3). A7 Missing Function Level Access Control. Retrieved from Pentaho COmmunity Wiki: https://wiki.pentaho.com/display/PEOpen/A7+Missing+Function+Level+Access+Control

Hamit, J. (2014, March 20). Top Ten Web Security Risks: Missing Function Level Access Control (#7). Retrieved from Credera: https://www.credera.com/blog/technology-insights/open-source-technology-insights/top-ten-web-security-risks-missing-function-level-access-control-7/

Hdiv. (n. d.). Missing Function Level Access Controll. Retrieved from Hdiv Security: https://hdivsecurity.com/owasp-missing-function-level-access-control

OWASP. (2013, June 15). Top 10 2013-A7-Missing Function Level Access Control. Retrieved from owasp: https://www.owasp.org/index.php/Top_10_2013-A7-Missing_Function_Level_Access_Control

s, G. (2016, Novemeber 29). A7 Missing Function Level Access Control. Retrieved from GBHackers on Security: https://gbhackers.com/a7-missing-function-level-access-control/

Sarud, L. (2016, July 13). OWASP TOP 10: Missing Function Level Access Control. Retrieved from detectify blog: 2016

tutorialspoint. (2018). Missing Function Level Access Control. Retrieved from tutorialspoint: https://www.tutorialspoint.com/security_testing/missing_function_level_access_control.html