Insecure Authorization Restriction
Insecure Authorization Restriction
Description
Insecure Authorization Restriction refers to weaknesses in server-side restrictions that can be exploited through HTTP request manipulation techniques. This vulnerability allows attackers to bypass access controls, leading to unauthorized access to resources, privilege escalation, and allowing unauthorized users to retrieve, create, update, or delete sensitive data.
Targeting Insecure Authorization Restrictions on a web server, for example, would involve these techniques:
- HTTP Request Method fuzzing: Testing invalid, malformed, or unexpected HTTP methods on the server.
- HTTP Request Path fuzzing: Manipulating the HTTP request path by deforming it, adding to it, or subtracting from it.
- HTTP Request Query Parameter fuzzing: Adding, removing, or changing the original query parameters.
- HTTP Request Header fuzzing: Adding familiar headers, removing headers, or adding proxy headers.
All these techniques target defects, vulnerabilities, or mistakes in a server's logic.
```python import requests
response = requests.get("http://www.some-url.com/unauthorized_path")
'''if we have some unauthorized path that gets us a 403 code,
we can try something like adding a query parameter like "debug=true" to see if we can
trick the server by exploiting some mistake.'''
response = requests.get("http://www.some-url.com/unauthorized_path?debug=true")
'''Might get us the resource we want''
Recommendation
Organizations should implement proper access controls and enforce strict validation of HTTP requests to mitigate the risk of insecure authorization restriction HTTP vulnerabilities. This involves having robust server-side logic to manage rules over the HTTP methods, headers, query parameters, and paths received.
Here are some recommendations:
- Limit HTTP Methods: Restrict which HTTP methods can access each of your views/resources.
- Sanitize Query Parameters: Sanitize each request's query parameters and ensure only a limited set of parameters can affect the server's logic.
- Limit Headers: Restrict which headers can affect your code. Use strict rules on what header/method combinations can make changes on the server side, and ensure your logic does not rely on header values that can be easily found on the internet (like Google's User-Agent).
- Robust Path Parsing: Implement robust path parsing with strict rules and reject requests that do not conform to your standards.
```python # allow only GET and POST methods for this route @app.route('/limiting_method_usage', methods=['GET', 'POST']) def limiting_method_usage(): if request.method == 'GET': return jsonify({"message": "This is a GET request"}) elif request.method == 'POST': data = request.json return jsonify({"message": "This is a POST request", "data": data}) # only use headers you expect @app.route('/limiting_header_values') def limiting_header_values(): expected_header = request.headers.get('Expected-Header') ### logic depending on the expected header
Links
Standards
- OWASP_ASVS_L1:
- V4_1_1
- V4_1_2
- V4_1_3
- V4_1_5
- V5_1_1
- V5_1_2
- V5_1_3
- V5_1_4
- V5_2_2
- OWASP_ASVS_L2:
- V4_1_1
- V4_1_2
- V4_1_3
- V4_1_5
- V5_1_1
- V5_1_2
- V5_1_3
- V5_1_4
- V5_2_2
- OWASP_ASVS_L3:
- V4_1_1
- V4_1_2
- V4_1_3
- V4_1_5
- V5_1_1
- V5_1_2
- V5_1_3
- V5_1_4
- V5_2_2
- PCI_STANDARDS:
- REQ_2_2