Security Testing 简明教程
Missing Function Level Access Control
大多数 Web 应用程序在向用户提供该功能之前验证功能级别访问权限。但是,如果不对服务器执行相同的访问控制检查,则黑客能够在没有适当授权的情况下渗透到应用程序中。
Most of the web applications verify function level access rights before making that functionality accessible to the user. However, if the same access control checks are not performed on the server, hackers are able to penetrate into the application without proper authorization.
Let us understand Threat Agents, Attack Vectors, Security Weakness, Technical Impact and Business Impacts of this flaw with the help of simple diagram.
Example
以下是不存在功能级别访问控制的一个经典示例 −
Here is a classic example of Missing Function Level Access Control −
黑客只是强制目标 URL。通常,管理员访问需要身份验证,但是,如果未验证应用程序访问,则未经身份验证的用户可以访问管理员页面。
The hacker simply forces target URLs. Usually admin access requires authentication, however, if the application access is not verified, then an unauthenticated user can access admin page.
' Below URL might be accessible to an authenticated user
http://website.com/app/standarduserpage
' A NON Admin user is able to access admin page without authorization.
http://website.com/app/admin_pageHands ON
Step 1 − 通过首先查看用户列表及其访问权限,我们登录为客户经理。
Step 1 − Let us login as account manager by first going through the list of users and their access privileges.
Step 2 − 在尝试各种组合后,我们可以发现 Larry 具有对客户经理资源的访问权限。
Step 2 − Upon trying various combinations we can find out that Larry has access to resource account manager.
