28 Feb, 2023

Authorization Bypass Through User-Controlled Key

What is Authorization bypass? 

Authorization bypass is a type of security vulnerability where an attacker is able to gain unauthorized access to a system or resource without proper authentication or authorization.

One simple example of authorization bypass is when a user is able to access a protected resource without providing the required credentials or permissions. For instance, imagine a web application that requires a user to log in before accessing their account dashboard. If the application does not properly validate the user’s credentials, an attacker could potentially bypass the login screen and gain access to the dashboard by exploiting a vulnerability in the authentication process.

Another example of authorization bypass is when an attacker is able to escalate their privileges within a system or application. For instance, imagine a user who has limited access to certain functions within an application. If an attacker is able to exploit a vulnerability in the application’s authorization mechanism, they may be able to gain administrative privileges and perform actions that are normally restricted to authorized personnel only.

Authorization bypass is a serious security issue that can have significant consequences, including data theft, data manipulation, and unauthorized access to critical systems and resources. 

What is user-controlled key?

A user-controlled key is a type of cryptographic key that is generated, managed, or provided by a user or an application user interface, rather than being generated or managed by the system or application itself. In other words, the user has control over the key, which can be used for encryption, decryption, or authentication purposes.

For example, in a password-based authentication system, the user may enter a passphrase or password, which is then used to derive a cryptographic key that is used for encryption and decryption. Similarly, in a file encryption application, the user may generate a key or choose an existing key from a list of keys, which is then used to encrypt or decrypt the file. In most cases, user-controlled key is a hashed password.

How an attacker gains access to the user-controlled key?

If there are vulnerabilities in the process used to generate user-controlled keys, attackers may be able to exploit these vulnerabilities to generate or guess the key.

If an attacker gains access to the user’s device or account, they may be able to steal the user-controlled key directly, either by extracting it from the device or by accessing the key storage location.

Intercepting the key during transmission. If the key is transmitted over an insecure network or communication channel, attackers may be able to intercept the key and use it to gain unauthorized access.

If the key is not strong enough or has a limited key space, attackers may be able to brute-force the key by trying a large number of possible key values until they find the correct one.

Attackers may use social engineering tactics to trick the user into revealing their key or entering it into a phishing website or fake login page.

The main features of Authorization bypass through user-controlled key

Is a type of security vulnerability that occurs when an application relies on user-controlled input to authorize access to a resource, and the user is able to manipulate the key used for authorization in a way that allows them to bypass the intended access controls.

For example, consider a web application that stores user data in a database, and uses a session token to authenticate users and restrict access to their data. If the application relies solely on the session token for authorization, and does not verify that the token belongs to the user making the request, an attacker may be able to bypass the authorization checks by manipulating the session token to match that of another user.

Similarly, if an application uses a cryptographic key to authorize access to a resource, and the key is generated or managed in a way that allows users to manipulate it, an attacker may be able to create their own key that grants them unauthorized access.

How it works 

One of the most common examples of flaws in authorization bypass through user-controlled key vulnerability is in web application authentication and session management. Attackers can exploit vulnerabilities in the authentication and session management mechanisms of web applications to bypass access controls and gain unauthorized access to resources.

For example, if a web application relies solely on a session cookie for authentication and does not perform proper validation or verification, an attacker can hijack the user’s session and gain unauthorized access to the application. Similarly, if a web application uses a weak cryptographic algorithm to generate session tokens or authentication keys, an attacker can use brute-force attacks to guess the keys and gain access to the application.

Another example is in IoT devices, where the use of weak or predictable keys can allow attackers to bypass authentication and access control mechanisms. For example, many IoT devices use default or hardcoded keys, which can be easily guessed or extracted by attackers, allowing them to gain access to the device and its resources.

In addition, mobile applications can also be vulnerable to authorization bypass through user-controlled key vulnerabilities. For example, if a mobile application uses a weak cryptographic algorithm to generate authentication tokens or session keys, an attacker can use reverse engineering or other techniques to extract the keys and gain access to the application.

Here’s an example of how an attacker could exploit an authorization bypass vulnerability through a user-controlled key in a hypothetical code snippet:

				
					// Sample code for user-controlled key authorization
public class SecureService {
  private static final String SECRET_KEY = "5up3r53cr37k3y";

  public boolean isAuthenticated(String userKey) {
    String derivedKey = generateKey(userKey);
    return SECRET_KEY.equals(derivedKey);
  }

  private String generateKey(String userKey) {
    // Key derivation function that uses the user-provided key 
    // to generate the derived key
    // Example of weak key derivation function
    String derivedKey = userKey + "salt";
    return derivedKey;
  }
}
				
			

In this example, an attacker could exploit an authorization bypass vulnerability by providing a user-controlled key that bypasses the authentication check. Here are the steps an attacker might take:

  1. The attacker intercepts the user’s login request and observes that the user is using a user-controlled key to authenticate.

  2. The attacker generates a user-controlled key that will bypass the authentication check. In this example, the attacker could simply provide a key that is equal to the SECRET_KEY value (“5up3r53cr37k3y”).

  3. The attacker sends the user-controlled key in a login request to the server.

  4. The server generates the derived key using the user-controlled key and the key derivation function.

  5. The server compares the derived key to the SECRET_KEY value and finds a match, since the user-controlled key is equal to the SECRET_KEY value.

  6. The server returns a successful authentication response, and the attacker gains access to the secure service.

				
					// Sample code for user-controlled key authorization
public class FileServer {
  private static final String AUTH_KEY = "5ecr3tK3y";

  public boolean hasAccess(String userKey, String filePath) {
    String derivedKey = generateKey(userKey);
    if (AUTH_KEY.equals(derivedKey)) {
      return true;
    }
    return false;
  }

  private String generateKey(String userKey) {
    // Simple key derivation function that concatenates 
    // the user-provided key and a static string
    return userKey + "random_string";
  }
}
				
			

In this example, an attacker could exploit an authorization bypass vulnerability by modifying the user-controlled key to bypass the authentication check. Here are the steps an attacker might take:

  1. The attacker intercepts a request to access a file and observes that the user is using a user-controlled key to authenticate.

  2. The attacker modifies the user-controlled key to include the static authentication key (AUTH_KEY) used by the server. In this example, the attacker could simply concatenate the user-controlled key with “5ecr3tK3y”.

  3. The attacker sends the modified user-controlled key in a request to the server.

  4. The server generates the derived key using the modified user-controlled key and the key derivation function.

  5. The server compares the derived key to the AUTH_KEY value and finds a match, since the attacker has included the static authentication key in the modified user-controlled key.

  6. The server returns a successful authentication response, and the attacker gains access to the requested file.

Real world examples

There have been numerous real-world examples of authorization bypass vulnerabilities being exploited by attackers. Here are some notable examples:

Equifax data breach: In 2017, attackers were able to exploit an authorization bypass vulnerability in Equifax’s web application to gain unauthorized access to sensitive data, including names, birth dates, social security numbers, and other personal information of millions of customers.

Uber data breach: In 2016, attackers were able to bypass Uber’s authorization controls by accessing a private GitHub repository containing Uber’s AWS credentials. The attackers were then able to access and steal the personal data of 57 million Uber customers and drivers.

Target data breach: In 2013, attackers were able to gain unauthorized access to Target’s point-of-sale systems by exploiting an authorization bypass vulnerability in a third-party vendor’s software. The attackers were then able to steal the credit and debit card information of approximately 40 million Target customers.

Yahoo data breaches: In 2013 and 2014, attackers were able to gain unauthorized access to Yahoo’s user database by exploiting an authorization bypass vulnerability in Yahoo’s proprietary code. The attackers were then able to steal the personal information of all 3 billion Yahoo user accounts.

Marriott International data breach: In 2018, attackers were able to gain unauthorized access to Marriott International’s Starwood reservation system by exploiting an authorization bypass vulnerability. The attackers were then able to steal the personal information of approximately 500 million Marriott customers.

To prevent authorization bypass vulnerabilities, it is important for developers and security professionals to implement proper security measures and best practices, such as proper input validation, secure authentication and authorization controls, regular security audits, and timely patching of vulnerabilities.

Most common CVE references 

There are several CVE (Common Vulnerabilities and Exposures) references that are associated with authorization bypass through user-controlled key vulnerabilities. Some of the most common ones are:

  • CVE-2017-5638 – This CVE reference is associated with the Apache Struts 2 framework and an unauthorized access vulnerability caused by the use of a user-controlled key. Attackers were able to exploit this vulnerability by sending a specially crafted HTTP request to the targeted server.

  • CVE-2018-11882 – This CVE reference is associated with a vulnerability in Microsoft Office that allowed attackers to bypass authentication and execute arbitrary code. The vulnerability was caused by the use of a user-controlled key to decrypt a portion of an Office document.

  • CVE-2019-5736 – This CVE reference is associated with a vulnerability in the Docker container runtime that allowed attackers to bypass authorization and gain root access to the host system. The vulnerability was caused by the use of a user-controlled key to perform cryptographic verification of container images.

  • CVE-2020-13942 – This CVE reference is associated with a vulnerability in Apache Tomcat that allowed attackers to bypass authorization and access resources that should have been restricted. The vulnerability was caused by the use of a user-controlled key to sign JAR files used by the affected application.

  • CVE-2018-3191 – This CVE reference is associated with a vulnerability in Oracle Database that allowed attackers to bypass authentication and gain access to sensitive data. The vulnerability was caused by the use of a user-controlled key to decrypt data stored in the database.

  • CVE-2018-0886 – This CVE reference is associated with a vulnerability in Microsoft’s Credential Security Support Provider (CredSSP) protocol that allowed attackers to bypass authentication and execute remote commands on affected systems. The vulnerability was caused by the use of a user-controlled key to perform cryptographic operations.

  • CVE-2019-11510 – This CVE reference is associated with a vulnerability in Pulse Secure VPNs that allowed attackers to bypass authentication and gain access to sensitive data. The vulnerability was caused by the use of a user-controlled key to encrypt user credentials stored on the VPN appliance.

  • CVE-2020-5410 – This CVE reference is associated with a vulnerability in Spring Framework that allowed attackers to bypass authorization and execute arbitrary code on affected systems. The vulnerability was caused by the use of a user-controlled key to deserialize objects.

These CVE references demonstrate the wide range of systems and applications that can be vulnerable to authorization bypass through user-controlled key vulnerabilities, and the importance of implementing strong security measures to prevent these types of attacks.

How to prevent authorization bypass through user-controlled key 

Use secure authentication and authorization mechanisms. Applications should use secure authentication and authorization mechanisms that do not rely solely on user-controlled input. This may include multi-factor authentication, role-based access control, and other security measures.

Applications should perform proper validation and verification of keys and tokens to ensure that they are valid and belong to the authorized user. This may include checking the key’s expiration, ensuring that it matches the user’s identity, and verifying that it has not been tampered with.

Use strong cryptographic algorithms and protocols. Applications should use strong cryptographic algorithms and protocols to generate and manage keys and tokens. This may include using industry-standard algorithms and protocols such as AES, RSA, and TLS.

Keys and tokens should be stored securely, using strong encryption and access controls to prevent unauthorized access. This may include storing them in a secure database or using a secure key management service.

Applications should monitor and log all access attempts to detect and respond to any unauthorized access attempts. This may include using intrusion detection systems, security information and event management (SIEM) tools, and other security monitoring solutions.

To prevent authorization bypass through user-controlled key vulnerabilities, organizations should implement the following measures:

  1. Strong Key Derivation Functions: Use strong key derivation functions, such as PBKDF2, bcrypt, or scrypt, to derive keys from user-supplied passwords or other input.

  2. Secure Key Storage: Store keys securely, using hardware-based security modules, trusted execution environments, or other secure storage mechanisms. Avoid storing keys in plain text or using weak encryption mechanisms.

  3. Additional Authentication and Authorization Checks: Implement additional authentication and authorization checks to ensure that users are authorized to perform the requested actions. For example, use multi-factor authentication or role-based access control to restrict access to sensitive data or functions.

  4. Regular Security Assessments: Regularly assess the security of the system or service using penetration testing, vulnerability scanning, or other security assessment techniques. This can help identify and remediate vulnerabilities before they can be exploited by attackers.

  5. Security Training: Provide security training to developers, administrators, and other staff to ensure they understand the importance of security and how to develop and maintain secure systems and applications.

What to do if the Authorization bypass through user-controlled key vulnerability is detected?

If a user suspects or detects an authorization bypass through user-controlled key vulnerability, they should report it to the appropriate organization or entity responsible for the affected system:

Contact the organization. Reach out to the organization or entity responsible for the system or service and report the vulnerability. This may include contacting customer support or security teams, or submitting a vulnerability report through a dedicated vulnerability disclosure program or bug bounty program.

Provide details. Provide as much detail as possible about the vulnerability, including the steps to reproduce it and any potential impact on data or systems.

Keep the vulnerability confidential. Do not share details of the vulnerability with anyone except the organization responsible for the system or service until it has been resolved.

Stay informed about the organization’s response to the vulnerability and any updates or fixes that are released. If the organization does not have a vulnerability disclosure program or bug bounty program, follow responsible disclosure practices by giving the organization a reasonable amount of time to fix the vulnerability before publicly disclosing it.

Books with review of Authorization bypass through user-controlled key

“Web Application Security: A Beginner’s Guide” by Bryan Sullivan and Vincent Liu – This book covers various web application security topics, including authentication and authorization, and provides practical guidance on how to secure web applications against common vulnerabilities, such as authorization bypass through user-controlled key.

“Hacking: The Art of Exploitation” by Jon Erickson – This book provides an in-depth introduction to computer security and hacking techniques, including a section on cryptographic attacks, which includes authorization bypass through user-controlled key.

“The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws” by Dafydd Stuttard and Marcus Pinto – This book provides detailed information on web application security testing techniques, including how to identify and exploit authorization bypass vulnerabilities, such as those that can be caused by user-controlled keys.

“Black Hat Python: Python Programming for Hackers and Pentesters” by Justin Seitz – This book covers various hacking techniques and tools, including cryptographic attacks, and provides practical examples of how to exploit vulnerabilities, such as authorization bypass through user-controlled key, using Python.

These books provide valuable insights and practical guidance on how to identify and prevent authorization bypass through user-controlled key vulnerabilities, and can be useful resources for developers, security professionals, and anyone interested in learning more about computer security and hacking.

Practicing in test for Authorization bypass through user-controlled key

It is important to test for authorization bypass vulnerabilities, including those caused by user-controlled keys, in order to identify and fix them before they can be exploited by attackers. Here are some steps you can take to practice testing for authorization bypass through user-controlled key vulnerabilities:

Understand the vulnerability: Start by familiarizing yourself with the concept of authorization bypass through user-controlled key vulnerabilities and how they work. Read up on the topic, and try to understand the different ways in which attackers can exploit this type of vulnerability.

Set up a test environment: Set up a test environment that mimics a real-world application, including a user interface and server-side components. Use a tool such as OWASP ZAP or Burp Suite to intercept and modify traffic between the client and server, and to simulate attacks against the application.

Identify user-controlled inputs: Identify the different user-controlled inputs in the application, such as form fields, URLs, and parameters. Use tools such as OWASP ZAP or Burp Suite to intercept and modify these inputs, and see how the application responds.

Test for bypass vulnerabilities: Test the application for authorization bypass vulnerabilities by manipulating user-controlled keys to see if you can gain unauthorized access to resources or perform actions that should be restricted. Try different combinations of inputs and payloads, and see how the application responds.

Analyze the results: Analyze the results of your tests, and identify any vulnerabilities that you find. Document your findings, and provide recommendations for fixing the vulnerabilities.

Fix the vulnerabilities: Once you have identified vulnerabilities, work with the developers to fix them. Implement appropriate security measures, such as input validation and access controls, to prevent similar vulnerabilities from occurring in the future.

By practicing testing for authorization bypass through user-controlled key vulnerabilities, you can improve your understanding of this type of vulnerability and develop skills in identifying and mitigating it.

Conclusion

In conclusion, the Authorization bypass through user-controlled key vulnerability is a serious security issue that can allow attackers to gain unauthorized access to sensitive data or systems. This vulnerability occurs when an application uses a user-controlled key to perform authentication or authorization checks, which can be manipulated by attackers to bypass these security measures.

Real-world examples of this vulnerability include attacks on banking and financial systems, as well as cloud-based services and IoT devices. To prevent this vulnerability, organizations should implement strong key derivation functions, use a secure key storage mechanism, and perform additional authentication and authorization checks to ensure that users are authorized to perform the requested actions.

If an Authorization bypass through user-controlled key vulnerability is detected, organizations should take immediate action to disable the vulnerable functionality, investigate the vulnerability, develop and implement a fix, and communicate with stakeholders. Users can also play an important role in improving the security of the systems and services they use by reporting vulnerabilities responsibly to the appropriate organization or entity.

Other Services

Ready to secure?

Let's get in touch