03 Apr, 2023

Authorization bypass through URL manipulation

Authorization bypass through URL manipulation refers to a security vulnerability in web applications where an attacker can manipulate the URL parameters to bypass the authentication and authorization mechanisms of the application. By manipulating the URL parameters, an attacker can gain unauthorized access to restricted areas or perform actions that are only allowed for authorized users. This type of vulnerability can occur in various web applications and can lead to serious security breaches if not addressed properly.

Example of vulnerable code on different programming languages:


in PHP:

				
					if ($_SESSION['user_id'] == $_GET['user_id']) {
    // Display sensitive information for user
}

				
			

 

In this code, the user ID is taken from the URL parameter user_id and compared to the user ID stored in the session. If an attacker changes the user_id parameter in the URL to match that of another user, they can gain unauthorized access to sensitive information.

• in Java:

				
					if (request.getParameter("user_id").equals(session.getAttribute("user_id"))) {
    // Display sensitive information for user
}

				
			

 

This code is similar to the PHP example above, but in Java. It takes the user_id parameter from the request and compares it to the user ID stored in the session. Again, an attacker can change the user_id parameter in the URL to gain unauthorized access.

• in Python:

				
					if request.args.get('user_id') == session['user_id']:
    # Display sensitive information for user

				
			

 

In this Python code, the user_id parameter is taken from the request arguments and compared to the user ID stored in the session. As with the previous examples, an attacker can manipulate the user_id parameter in the URL to bypass authorization.

Examples of exploitation Authorization bypass through URL manipulation

Accessing Restricted Pages:

Suppose there is a web application that requires users to log in to access certain pages or resources. If an attacker is able to bypass the authentication and authorization checks by manipulating the URL, they can access the restricted pages or resources without logging in. For example, if the URL for a restricted page is https://example.com/dashboard, an attacker could change the URL to https://example.com/dashboard?user_id=1 to bypass the authorization check and access the dashboard for user ID 1.

Modifying Data:

If a web application allows users to modify data through a form or API, an attacker could manipulate the URL to modify data that they are not authorized to modify. For example, if the URL for an API to update a user’s email address is https://example.com/api/user/update_email, an attacker could change the URL to https://example.com/api/user/update_email?user_id=1&[email protected] to update the email address for user ID 1 without proper authorization.

Performing Unauthorized Actions:

An attacker could also use URL manipulation to perform actions that are only allowed for authorized users, such as changing their password or deleting their account. For example, if the URL for changing a user’s password is https://example.com/account/change_password, an attacker could change the URL to https://example.com/account/change_password?user_id=1&password=newpassword to change the password for user ID 1 without proper authorization.

Privilege escalation techniques for Authorization bypass through URL manipulation

Tampering with Session Variables:

One technique is to tamper with session variables in order to elevate the attacker’s privileges. For example, an attacker could modify the session variable that stores the user’s role from “regular user” to “admin,” granting the attacker access to privileged functions or information.

Using Known Vulnerabilities:

Another technique is to use known vulnerabilities in the application or system to escalate privileges. For example, an attacker could use an SQL injection vulnerability to gain access to an administrative account and then modify the user’s privileges to grant themselves administrative access.

Brute-Forcing Credentials:

An attacker could also attempt to brute-force credentials to gain access to a privileged account. For example, if the application uses weak passwords or allows unlimited login attempts, the attacker could use a script to try a large number of username/password combinations until they find one that works.

Exploiting Logic Flaws:

An attacker could also exploit logic flaws in the application to gain higher-level access. For example, if the application allows users to modify their own user profile information, an attacker could modify their profile to grant themselves additional privileges or access.

Bypassing Security Controls:

Finally, an attacker could attempt to bypass security controls or bypass access control checks in the application to escalate their privileges. This could involve using techniques such as URL manipulation or exploiting vulnerabilities in the application code to bypass authentication and authorization checks.

General methodology and checklist for Authorization bypass through URL manipulation

Methodology:

  1. Determine which areas of the application or which functions require proper authorization and access control. This could include pages or resources that are only available to authenticated users, or functions that require specific permissions or roles.

  2. Identify the parameters and values used in the authentication and authorization process. This could include session variables, cookies, tokens, or other data used to authenticate and authorize users.

  3. Once you have identified the parameters used in the authentication and authorization process, modify them in the URL to see if it is possible to bypass the access controls. For example, try changing the user ID or role in the URL to see if you can access unauthorized data or functionality.

  4. Analyze the results of your tests to see if you were able to bypass the access controls and gain unauthorized access or privileges. Take note of any error messages, unexpected behavior, or other indicators that suggest you were able to bypass the access controls.

  5. Report any vulnerabilities or issues you find to the development team and work with them to fix the issues. Make sure to provide clear steps to reproduce the issue and any additional information that could help the team fix the issue.

  6. After the issues have been fixed, retest the application to make sure the vulnerabilities have been properly addressed and that the access controls are working as intended.

Checklist:

  1. Determine how the application handles authentication and authorization, including the use of session cookies, tokens, user roles, and other factors.

  2. Identify the resources that are protected by the authentication and authorization mechanisms, such as restricted pages, forms, or other functionality.

  3. Identify the parameters used in the authentication and authorization process, such as user ID, user role, session ID, and other relevant factors.

  4. Modify the parameters in the URL to see if it is possible to bypass the access controls and gain unauthorized access to protected resources. Try changing the user ID, user role, session ID, and other relevant parameters.

  5. Test for vertical privilege escalation by modifying parameters in the URL to grant higher levels of access or permissions than are authorized for the current user.

  6. Test for horizontal privilege escalation by modifying parameters in the URL to access data or functionality that belongs to other users or roles.

  7. Test for parameter tampering by modifying parameters in the URL to see if it is possible to manipulate the application behavior or access protected resources in unexpected ways.

  8. Analyze the results of the tests to see if it is possible to bypass the authentication and authorization mechanisms, gain unauthorized access to protected resources, or manipulate the application behavior in unexpected ways.

  9. Report any vulnerabilities or issues you find to the development team and work with them to fix the issues. Make sure to provide clear steps to reproduce the issue and any additional information that could help the team fix the issue.

  10. After the issues have been fixed, retest the application to make sure the vulnerabilities have been properly addressed and that the access controls are working as intended.

Tools set for exploiting Authorization bypass through URL manipulation

Manual tools:

  • Burp Suite: A proxy-based tool that allows you to intercept and modify HTTP requests and responses, Burp Suite can be used to test for authorization bypass through URL manipulation by modifying request parameters.

  • OWASP ZAP: Similar to Burp Suite, OWASP ZAP is a proxy-based tool that allows you to intercept and modify HTTP requests and responses. It has features that help automate the process of testing for authorization bypass through URL manipulation.

  • Fiddler: A web debugging proxy tool that allows you to inspect and modify HTTP traffic, Fiddler can be used to test for authorization bypass through URL manipulation by modifying request parameters.

  • Postman: A popular API testing tool that allows you to send HTTP requests and inspect the responses. Postman can be used to test for authorization bypass through URL manipulation by modifying request parameters.

  • HTTPie: A command-line HTTP client that allows you to send HTTP requests and inspect the responses. HTTPie can be used to test for authorization bypass through URL manipulation by modifying request parameters.

  • Curl: Another command-line tool for sending HTTP requests, Curl can be used to test for authorization bypass through URL manipulation by modifying request parameters.

  • Insomnia: A popular REST client that allows you to send HTTP requests and inspect the responses. Insomnia can be used to test for authorization bypass through URL manipulation by modifying request parameters.

  • Paw: A Mac-based HTTP client that allows you to send HTTP requests and inspect the responses. Paw can be used to test for authorization bypass through URL manipulation by modifying request parameters.

  • HTTP Toolkit: A cross-platform proxy tool that allows you to intercept and modify HTTP requests and responses. HTTP Toolkit can be used to test for authorization bypass through URL manipulation by modifying request parameters.

  • Firefox Tamper Data: A browser add-on that allows you to intercept and modify HTTP requests and responses. Tamper Data can be used to test for authorization bypass through URL manipulation by modifying request parameters.

Automated tools:

  • Netsparker: A web application security scanner that can automatically test for authorization bypass through URL manipulation by sending a range of payloads and analyzing the responses.

  • Acunetix: Another web application security scanner that can automatically test for authorization bypass through URL manipulation by sending a range of payloads and analyzing the responses.

  • AppScan: A web application security scanner from IBM, AppScan can automatically test for authorization bypass through URL manipulation by sending a range of payloads and analyzing the responses.

  • Qualys: A cloud-based security and compliance platform, Qualys can automatically test for authorization bypass through URL manipulation by sending a range of payloads and analyzing the responses.

  • Zed Attack Proxy (ZAP): An open-source web application security scanner that can automatically test for authorization bypass through URL manipulation by sending a range of payloads and analyzing the responses.

  • Nikto: A web server scanner that can automatically test for authorization bypass through URL manipulation by sending a range of payloads and analyzing the responses.

  • Arachni: A Ruby-based web application security scanner that can automatically test for authorization bypass through URL manipulation by sending a range of payloads and analyzing the responses.

  • Skipfish: An automated web application security scanner that can automatically test for authorization bypass through URL manipulation by sending a range of payloads and analyzing the responses.

  • OpenVAS: A network vulnerability scanner that can also test for web application vulnerabilities, including authorization bypass through URL manipulation.

  • Metasploit: An open-source penetration testing framework

  • Wapiti: A web application security scanner that can automatically test for authorization bypass through URL manipulation by sending a range of payloads and analyzing the responses.

  • Skipfish: An automated web application security scanner that can automatically test for authorization bypass through URL manipulation by sending a range of payloads and analyzing the responses.

  • Golismero: An open-source security auditing tool that can perform web application scanning and test for authorization bypass through URL manipulation.

  • Grendel-Scan: A web application security scanner that can automatically test for authorization bypass through URL manipulation by sending a range of payloads and analyzing the responses.

  • WebReaver: A web application security testing tool that can automatically test for authorization bypass through URL manipulation by sending a range of payloads and analyzing the responses.

  • WebScarab: A Java-based proxy tool that can be used to test for authorization bypass through URL manipulation by modifying request parameters.

  • Tamper Chrome: A browser extension that allows you to intercept and modify HTTP requests and responses. Tamper Chrome can be used to test for authorization bypass through URL manipulation by modifying request parameters.

  • IronWASP: A web application security testing tool that can automatically test for authorization bypass through URL manipulation by sending a range of payloads and analyzing the responses.

  • Havij: An automated SQL injection tool that can also test for authorization bypass through URL manipulation.

  • sqlmap: Another automated SQL injection tool that can also test for authorization bypass through URL manipulation.

Average CVSS score of stack Authorization bypass through URL manipulation

The CVSS (Common Vulnerability Scoring System) score for an authorization bypass vulnerability can vary widely depending on the specifics of the vulnerability and its impact on the affected system. However, in general, an authorization bypass through URL manipulation vulnerability can be considered a high-severity vulnerability, as it allows an attacker to gain access to restricted resources or perform actions they are not authorized to perform. The CVSS score for such a vulnerability is likely to be at least in the range of 7 to 9 out of 10, indicating a high level of risk and impact. However, it is important to note that each vulnerability should be assessed on a case-by-case basis to determine its specific CVSS score.

The Common Weakness Enumeration (CWE)

• CWE-285: Improper Authorization: This CWE category covers vulnerabilities that allow an attacker to bypass the access controls in a system, such as authorization checks based on URL parameters.

• CWE-319: Cleartext Transmission of Sensitive Information: This category covers vulnerabilities that occur when sensitive information, such as authentication tokens or credentials, is transmitted over an unencrypted channel.

• CWE-352: Cross-Site Request Forgery (CSRF): This category covers vulnerabilities that allow an attacker to trick a victim into performing an action they did not intend to perform, such as changing their password or making a purchase, by exploiting a vulnerability in the system’s authorization mechanism.

• CWE-359: Exposure of Private Information (‘Privacy Violation’): This category covers vulnerabilities that result in the exposure of sensitive or private information, such as user account information, that should not be accessible to unauthorized users.

• CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’): This category covers vulnerabilities that allow an attacker to redirect a user to a malicious website by modifying the URL of a legitimate website.

• CWE-611: Improper Restriction of XML External Entity Reference: This category covers vulnerabilities that allow an attacker to read sensitive files or execute arbitrary code by exploiting an XML parsing vulnerability.

• CWE-620: Unverified Password Change: This category covers vulnerabilities that allow an attacker to change a user’s password without proper authentication or authorization.

• CWE-863: Incorrect Authorization: This category covers vulnerabilities that occur when the system’s authorization mechanism is incorrectly implemented or configured, allowing unauthorized access to protected resources.

• CWE-935: Improper Certificate Validation: This category covers vulnerabilities that occur when a system does not properly validate SSL/TLS certificates, allowing an attacker to perform a man-in-the-middle attack or intercept sensitive information.

• CWE-942: Overly Permissive Cross-domain Whitelist: This category covers vulnerabilities that occur when a system’s cross-domain policy is too permissive, allowing unauthorized access to protected resources across different domains.

Top 10 CVES related to Authorization bypass through URL manipulation

• CVE-2022-4281 – A vulnerability has been found in Facepay 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /face-recognition-php/facepay-master/camera.php. The manipulation of the argument userId leads to authorization bypass. The attack can be launched remotely. The identifier VDB-214789 was assigned to this vulnerability.

• CVE-2022-3876 – A vulnerability, which was classified as problematic, has been found in Click Studios Passwordstate and Passwordstate Browser Extension Chrome. This issue affects some unknown processing of the file /api/browserextension/UpdatePassword/ of the component API. The manipulation of the argument PasswordID leads to authorization bypass. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. The identifier VDB-216245 was assigned to this vulnerability.

• CVE-2022-36785 – D-Link – G integrated Access Device4 Information Disclosure & Authorization Bypass. *Information Disclosure – file contains a URL with private IP at line 15 “login.asp” A. The window.location.href = http://192.168.1.1/setupWizard.asp” http://192.168.1.1/setupWizard.asp” ; “admin” – contains default username value “login.asp” B. While accessing the web interface, the login form at *Authorization Bypass – URL by “setupWizard.asp’ while it blocks direct access to – the web interface does not properly validate user identity variables values located at the client side, it is available to access it without a “login_glag” and “login_status” checking browser and to read the admin user credentials for the web interface.

• CVE-2022-25237 – Bonita Web 2021.2 is affected by a authentication/authorization bypass vulnerability due to an overly broad exclude pattern used in the RestAPIAuthorizationFilter. By appending ;i18ntranslation or /../i18ntranslation/ to the end of a URL, users with no privileges can access privileged API endpoints. This can lead to remote code execution by abusing the privileged API actions.

• CVE-2022-0691 – Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.

• CVE-2022-0686 – Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8.

• CVE-2022-0639 – Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.7.

• CVE-2022-0512 – Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.6.

• CVE-2020-3522 – A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) Software could allow an authenticated, remote attacker to bypass authorization on an affected device and access sensitive information that is related to the device. The vulnerability exists because the affected software allows users to access resources that are intended for administrators only. An attacker could exploit this vulnerability by submitting a crafted URL to an affected device. A successful exploit could allow the attacker to add, delete, and edit certain network configurations in the same manner as a user with administrative privileges.

• CVE-2020-15487 – Re:Desk 2.3 contains a blind unauthenticated SQL injection vulnerability in the getBaseCriteria() function in the protected/models/Ticket.php file. By modifying the folder GET parameter, it is possible to execute arbitrary SQL statements via a crafted URL. Unauthenticated remote command execution is possible by using this SQL injection to update certain database values, which are then executed by a bizRule eval() function in the yii/framework/web/auth/CAuthManager.php file. Resultant authorization bypass is also possible, by recovering or modifying password hashes and password reset tokens, allowing for administrative privileges to be obtained.

Practicing in test for Authorization bypass through URL manipulation

Ensure that you have obtained explicit permission from the system owner or administrator before conducting any testing.

Clearly define the scope of the testing, including the target system or application, the types of tests that will be conducted, and any restrictions or limitations that apply.

Use separate test environments to conduct your testing, rather than testing on live systems or production environments. This will help prevent any unintended consequences or harm to live systems.

Use automated tools to conduct initial scans and identify potential vulnerabilities. However, be sure to follow up with manual testing to validate any identified vulnerabilities.

Adhere to ethical guidelines for testing, such as the OWASP testing guide, and avoid any activities that could cause harm or disrupt the system.

Document your findings in detail, including the steps you took to identify and exploit any vulnerabilities. This will help the system owner or administrator to better understand the risks and prioritize remediation efforts.

Report any identified vulnerabilities to the system owner or administrator in a responsible and timely manner, and work with them to address and remediate the issue.

For study Authorization bypass through URL manipulation

OWASP Top 10: The Open Web Application Security Project (OWASP) is a community-driven organization that provides resources and guidance for web application security. The OWASP Top 10 is a list of the most critical web application security risks, which includes Authorization bypass through URL manipulation. The OWASP website provides detailed information on each of the risks, as well as guidance on how to prevent and mitigate them.

CWE: The Common Weakness Enumeration (CWE) is a list of common software security weaknesses, including those related to Authorization bypass through URL manipulation. The CWE website provides detailed descriptions of each weakness, as well as guidance on how to prevent and mitigate them.

Web application security testing tools: There are many web application security testing tools available, both open source and commercial, that can be used to test for Authorization bypass through URL manipulation vulnerabilities. Some popular tools include Burp Suite, OWASP ZAP, and Acunetix.

Online courses and tutorials: There are many online courses and tutorials available that cover web application security, including Authorization bypass through URL manipulation. Some popular platforms that offer these courses include Udemy, Coursera, and Pluralsight.

Books: There are many books available that cover web application security, including Authorization bypass through URL manipulation. Some popular titles include “Web Application Security: A Beginner’s Guide” by Bryan Sullivan and Vincent Liu, and “The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws” by Dafydd Stuttard and Marcus Pinto.

Books with review of Authorization bypass through URL manipulation

The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws by Dafydd Stuttard and Marcus Pinto: This book provides a comprehensive guide to web application security, including techniques for identifying and exploiting vulnerabilities such as Authorization bypass through URL manipulation.

Web Application Security: A Beginner’s Guide by Bryan Sullivan and Vincent Liu: This book provides an introduction to web application security, including common vulnerabilities and best practices for mitigating them.

Mastering Modern Web Penetration Testing by Prakhar Prasad: This book covers advanced web application penetration testing techniques, including exploiting vulnerabilities such as Authorization bypass through URL manipulation.

Hacking Web Applications: Hacking Exposed by Joel Scambray, Vincent Liu, and Caleb Sima: This book provides a detailed guide to web application security, including techniques for identifying and exploiting vulnerabilities such as Authorization bypass through URL manipulation.

Penetration Testing: A Hands-On Introduction to Hacking by Georgia Weidman: This book provides a practical guide to penetration testing, including techniques for identifying and exploiting web application vulnerabilities such as Authorization bypass through URL manipulation.

The Basics of Web Hacking: Tools and Techniques to Attack the Web by Josh Pauli: This book provides an introduction to web hacking, including techniques for identifying and exploiting vulnerabilities such as Authorization bypass through URL manipulation.

Black Hat Python: Python Programming for Hackers and Pentesters by Justin Seitz: This book provides a guide to using the Python programming language for web application penetration testing, including techniques for identifying and exploiting vulnerabilities such as Authorization bypass through URL manipulation.

Web Security Testing Cookbook: Systematic Techniques to Find Problems Fast by Paco Hope and Ben Walther: This book provides a collection of recipes for web application security testing, including techniques for identifying and exploiting vulnerabilities such as Authorization bypass through URL manipulation.

Gray Hat Hacking: The Ethical Hacker’s Handbook by Allen Harper, Daniel Regalado, and Ryan Linn: This book provides a guide to ethical hacking, including techniques for identifying and exploiting web application vulnerabilities such as Authorization bypass through URL manipulation.

The Tangled Web: A Guide to Securing Modern Web Applications by Michal Zalewski: This book provides an in-depth guide to web application security, including techniques for identifying and mitigating vulnerabilities such as Authorization bypass through URL manipulation.

List of payloads Authorization bypass through URL manipulation

  1. /admin/
  2. /administrator/
  3. /login.php
  4. /login.aspx
  5. /login.jsp
  6. /dashboard/
  7. /account/
  8. /wp-admin/
  9. /user/
  10. /profile/
  11. /edit/
  12. /delete/
  13. /add/
  14. /modify/
  15. /upload/
  16. /backup/
  17. /restore/
  18. /reset/
  19. /change_password/
  20. /forgot_password/

How to be protected from Authorization bypass through URL manipulation

  1. Use strong authentication mechanisms such as two-factor authentication, strong passwords, and multi-factor authentication to make it harder for attackers to bypass authorization through URL manipulation.

  2. Implement secure session management practices such as using secure cookies, enforcing session timeouts, and using encrypted connections to help prevent session hijacking.

  3. Implement access control mechanisms to ensure that users can only access the resources they are authorized to access. Use roles and permissions to enforce access control and limit user access to sensitive resources.

  4. Validate user input on both the client and server side to prevent attacks such as injection attacks that could be used to bypass authorization.

  5. Use web application firewalls to help detect and prevent attacks that could be used to bypass authorization through URL manipulation.

  6. Keep all software up to date and apply security patches as soon as they become available to help prevent known vulnerabilities from being exploited.

  7. Conduct regular security testing, including vulnerability assessments and penetration testing, to identify and remediate vulnerabilities before they can be exploited.

  8. Educate employees on best security practices and ensure that they are aware of the risks associated with authorization bypass through URL manipulation. Encourage them to report any suspicious activity or potential security breaches.

Conclusion

Authorization bypass through URL manipulation is a serious security vulnerability that allows attackers to gain unauthorized access to sensitive resources. It is a prevalent issue in web applications that fail to properly validate user input and implement access controls.

To prevent Authorization bypass through URL manipulation attacks, it is important to implement strong authentication mechanisms, access control mechanisms, and secure session management practices. Additionally, regular security testing and employee training can help identify and remediate vulnerabilities before they can be exploited.

Other Services

Ready to secure?

Let's get in touch