28 Feb, 2023

Broken Function Level Authorization

Vulnerability Assessment as a Service (VAaaS)

Tests systems and applications for vulnerabilities to address weaknesses.

Broken Function Level Authorization (BFLA) is a security vulnerability that occurs when an application fails to properly enforce access controls for its functions or resources. This allows an attacker to perform actions or access resources that they should not be allowed to.

Example of vulnerable code on different programming languages:


in Python:

				
					def delete_user_account(request, user_id):
    # Check if the user making the request is authorized
    if request.user.is_admin:
        # Delete the user's account
        delete_user(user_id)
        return HttpResponse("User account deleted successfully.")
    else:
        return HttpResponseForbidden("You are not authorized to perform this action.")

				
			


In this code, the delete_user_account function checks if the user making the request is an administrator before deleting the specified user’s account. However, there is no validation of the user_id parameter to ensure that the requesting user is authorized to delete that specific user’s account. An attacker could exploit this vulnerability by changing the user_id parameter in the request to delete another user’s account.

• in PHP:

				
					function delete_user_account($user_id) {
    // Check if the user making the request is authorized
    if ($_SESSION['is_admin']) {
        // Delete the user's account
        delete_user($user_id);
        return "User account deleted successfully.";
    } else {
        header('HTTP/1.0 403 Forbidden');
        return "You are not authorized to perform this action.";
    }
}

				
			


In this PHP code, the delete_user_account function checks if the user making the request is an administrator before deleting the specified user’s account. However, it does not validate the $user_id parameter to ensure that the requesting user is authorized to delete that specific user’s account. An attacker could exploit this vulnerability by changing the $user_id parameter in the request to delete another user’s account.

• in Java:

				
					public void delete_user_account(int user_id) {
    // Check if the user making the request is authorized
    if (currentUser.getRole() == Role.ADMIN) {
        // Delete the user's account
        deleteUser(user_id);
        System.out.println("User account deleted successfully.");
    } else {
        throw new ForbiddenException("You are not authorized to perform this action.");
    }
}

				
			


In this Java code, the delete_user_account method checks if the user making the request is an administrator before deleting the specified user’s account. However, it does not validate the user_id parameter to ensure that the requesting user is authorized to delete that specific user’s account. An attacker could exploit this vulnerability by changing the user_id parameter in the request to delete another user’s account.

Examples of exploitation Broken Function Level Authorization

Unauthorized deletion of user accounts:

Suppose an attacker knows the ID of a user account they want to delete and sends a request to the application to delete that account. If the application does not validate that the user making the request is authorized to delete that specific account, the attacker can successfully delete the account, even if they are not authorized to do so.

Accessing unauthorized resources:

Suppose an attacker wants to access a resource that is only accessible to administrators, such as a list of all user accounts. If the application does not properly enforce access controls for this resource, the attacker can send a request to access the resource and view the information, even if they are not authorized to do so.

Modifying unauthorized data:

Suppose an attacker wants to modify some data in the application that they are not authorized to modify, such as a user’s account information. If the application does not properly validate that the user making the request is authorized to modify that specific data, the attacker can modify the data, even if they are not authorized to do so.

Privilege escalation techniques for Broken Function Level Authorization

Manipulating input parameters:

An attacker can manipulate input parameters to the application to gain access to resources or perform actions that they are not authorized to. For example, an attacker could modify the parameters of a request to delete another user’s account, or to access sensitive data or functionality that is normally only accessible to administrators.

Session hijacking:

An attacker can hijack a valid user session to gain access to the application as that user. Once they have access, they can then perform actions or access resources that they are authorized for, potentially including administrative privileges.

Exploiting hidden functionality:

Some applications may have hidden functionality or debug features that are only accessible to developers or administrators. An attacker can try to access these hidden features by manipulating parameters or input values, potentially gaining access to privileged functionality that is not normally available.

Brute force attacks:

An attacker can attempt to brute force credentials, such as usernames and passwords, or authentication tokens to gain access to the application. If successful, they can then perform actions or access resources that they are authorized for, potentially including administrative privileges.

General methodology and checklist for Broken Function Level Authorization

Methodology:

  1. Identify the functions and resources that require authorization: Review the application to identify the functions and resources that require authorization, such as administrative functions, sensitive data, or user-specific data.

  2. Understand the authorization mechanism: Understand how the application enforces authorization, such as by checking user roles or permissions, session management, or other authentication mechanisms.

  3. Test authorization for each function and resource: Test each function and resource to ensure that it is properly authorized. Attempt to access each function and resource as different users, with different roles or permissions, or with invalid credentials.

  4. Attempt to bypass authorization: Attempt to bypass the authorization mechanism by modifying parameters or input values, using unexpected HTTP methods, or other techniques.

  5. Test for horizontal privilege escalation: Test for the ability to access other users’ data or functions by manipulating parameters or input values.

  6. Test for vertical privilege escalation: Test for the ability to access administrative or privileged functions or data by manipulating parameters or input values, or by exploiting hidden functionality or other vulnerabilities.

  7. Test session management: Test for session hijacking by attempting to steal other users’ sessions or by using invalid or expired session tokens.

  8. Document findings and report vulnerabilities: Document any findings, including the steps to reproduce the vulnerability, the impact of the vulnerability, and recommendations for remediation. Report any vulnerabilities to the application owner or development team for remediation.

Checklist:

  1. Identify the functions and resources that require authorization, such as administrative functions, sensitive data, or user-specific data.

  2. Understand the authorization mechanism, such as user roles or permissions, session management, or other authentication mechanisms.

  3. Test authorization for each function and resource by attempting to access each function and resource as different users, with different roles or permissions, or with invalid credentials.

  4. Attempt to bypass authorization by modifying parameters or input values, using unexpected HTTP methods, or other techniques.

  5. Test for horizontal privilege escalation by attempting to access other users’ data or functions by manipulating parameters or input values.

  6. Test for vertical privilege escalation by attempting to access administrative or privileged functions or data by manipulating parameters or input values, or by exploiting hidden functionality or other vulnerabilities.

  7. Test session management by attempting to steal other users’ sessions or by using invalid or expired session tokens.

  8. Check for error messages or status codes that may provide information about the application’s authorization mechanisms or weaknesses.

  9. Review the application’s source code for potential vulnerabilities, such as hard-coded credentials or insecure session management.

  10. Verify that access controls are enforced at the server-side, and cannot be bypassed by client-side scripting or other means.

  11. Conduct manual and automated testing to validate the application’s access controls.

  12. Document any findings, including the steps to reproduce the vulnerability, the impact of the vulnerability, and recommendations for remediation.

Tools set for exploiting Broken Function Level Authorization

Manual Tools:

  • Burp Suite: A web application security testing framework that includes a proxy, scanner, and many other tools. Can be used to manually test and exploit Broken Function Level Authorization vulnerabilities.

  • Postman: A tool for API development and testing. Can be used to manually test and exploit Broken Function Level Authorization vulnerabilities in APIs.

  • Chrome Developer Tools: A set of debugging tools built into the Google Chrome browser. Can be used to manually inspect and manipulate HTTP requests and responses, including headers and parameters.

  • Firefox Developer Tools: A set of debugging tools built into the Mozilla Firefox browser. Similar to Chrome Developer Tools, can be used to manually inspect and manipulate HTTP requests and responses.

  • OWASP ZAP: An open-source web application security scanner. Can be used to manually test and exploit Broken Function Level Authorization vulnerabilities.

  • SQLMap: An open-source penetration testing tool that automates the process of detecting and exploiting SQL injection vulnerabilities. Can be used to manually test and exploit Broken Function Level Authorization vulnerabilities that involve SQL injection.

  • Nmap: A network exploration and security auditing tool. Can be used to manually identify potential targets for Broken Function Level Authorization attacks.

Automated Tools:

  • Acunetix: A web application security scanner that includes automated testing for Broken Function Level Authorization vulnerabilities.

  • AppSpider: A web application security scanner that includes automated testing for Broken Function Level Authorization vulnerabilities.

  • Nessus: A network vulnerability scanner that includes automated testing for Broken Function Level Authorization vulnerabilities.

  • OpenVAS: An open-source network vulnerability scanner that includes automated testing for Broken Function Level Authorization vulnerabilities.

  • Nikto: A web server scanner that includes automated testing for Broken Function Level Authorization vulnerabilities.

  • Wapiti: A web application security scanner that includes automated testing for Broken Function Level Authorization vulnerabilities.

  • Arachni: A modular web application security scanner that includes automated testing for Broken Function Level Authorization vulnerabilities.

  • Skipfish: An automated web application security scanner that includes testing for Broken Function Level Authorization vulnerabilities.

  • Netsparker: A web application security scanner that includes automated testing for Broken Function Level Authorization vulnerabilities.

  • Grendel-Scan: An open-source web application security scanner that includes automated testing for Broken Function Level Authorization vulnerabilities.

Browser Plugins:

  • Tamper Data: A Firefox plugin that allows users to view and modify HTTP/HTTPS headers and parameters.

  • Web Developer: A browser extension for Google Chrome, Firefox, and Opera that provides various web development tools, including the ability to inspect and manipulate HTTP requests and responses.

  • HackBar: A Firefox plugin that adds a toolbar with various web security testing tools, including the ability to modify HTTP requests and responses.

Average CVSS score of stack Broken Function Level Authorization

The Common Vulnerability Scoring System (CVSS) is used to assess and rate the severity of security vulnerabilities, including those related to Broken Function Level Authorization. The CVSS score ranges from 0 to 10, with higher scores indicating more severe vulnerabilities.

The average CVSS score for vulnerabilities related to Broken Function Level Authorization can vary widely, depending on the specific vulnerability and its impact on the application. In general, vulnerabilities related to Broken Function Level Authorization can be classified as high severity since they can potentially provide attackers with elevated access and control over the application.

However, the actual CVSS score for a specific vulnerability related to Broken Function Level Authorization will depend on a variety of factors, such as the impact on the confidentiality, integrity, and availability of the application and its data, as well as the complexity of exploiting the vulnerability. Therefore, it is not possible to provide an average CVSS score for all vulnerabilities related to Broken Function Level Authorization.

The Common Weakness Enumeration (CWE)

CWE-285: Improper Authorization: This category refers to situations where an application does not properly authenticate and authorize users or processes, leading to potential unauthorized access.

CWE-269: Improper Privilege Management: This category refers to situations where an application does not properly manage the privileges of users or processes, leading to potential elevation of privileges.

CWE-276: Incorrect Default Permissions: This category refers to situations where an application uses insecure default permissions that can be exploited by attackers to gain unauthorized access.

CWE-732: Incorrect Permission Assignment for Critical Resource: This category refers to situations where an application assigns incorrect permissions to critical resources, leading to potential unauthorized access.

CWE-434: Unrestricted Upload of File with Dangerous Type: This category refers to situations where an application allows users to upload files without proper validation, leading to potential execution of malicious code.

CWE-862: Missing Authorization: This category refers to situations where an application does not properly enforce authorization requirements, leading to potential unauthorized access.

CWE-863: Incorrect Authorization: This category refers to situations where an application enforces authorization requirements incorrectly, leading to potential unauthorized access.

CWE-287: Improper Authentication: This category refers to situations where an application does not properly authenticate users or processes, leading to potential unauthorized access.

CWE-697: Insufficient Comparison: This category refers to situations where an application compares values improperly, leading to potential authorization bypass.

CWE-732: Incorrect Permission Assignment for Critical Resource: This category refers to situations where an application assigns incorrect permissions to critical resources, leading to potential unauthorized access.

Top 10 CVES related to Broken Function Level Authorization

CVE-2023-0720 – The Wicked Folders plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the ajax_save_folder_order function in versions up to, and including, 2.18.16. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to invoke this function and perform actions intended for administrators such as modifying the folder structure maintained by the plugin.

CVE-2023-0719 – The Wicked Folders plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the ajax_save_sort_order function in versions up to, and including, 2.18.16. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to invoke this function and perform actions intended for administrators such as modifying the folder structure maintained by the plugin.

CVE-2023-0718 – The Wicked Folders plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the ajax_save_folder function in versions up to, and including, 2.18.16. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to invoke this function and perform actions intended for administrators such as modifying the folder structure maintained by the plugin.

CVE-2023-0717 – The Wicked Folders plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the ajax_delete_folder function in versions up to, and including, 2.18.16. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to invoke this function and perform actions intended for administrators such as modifying the folder structure maintained by the plugin.

CVE-2023-0716 – The Wicked Folders plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the ajax_edit_folder function in versions up to, and including, 2.18.16. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to invoke this function and perform actions intended for administrators such as modifying the folder structure maintained by the plugin.

CVE-2023-0715 – The Wicked Folders plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the ajax_clone_folder function in versions up to, and including, 2.18.16. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to invoke this function and perform actions intended for administrators such as modifying the folder structure maintained by the plugin.

CVE-2023-0713 – The Wicked Folders plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the ajax_add_folder function in versions up to, and including, 2.18.16. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to invoke this function and perform actions intended for administrators such as modifying the folder structure maintained by the plugin.

CVE-2023-0712 – The Wicked Folders plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the ajax_move_object function in versions up to, and including, 2.18.16. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to invoke this function and perform actions intended for administrators such as modifying the folder structure maintained by the plugin.

CVE-2023-0711 – The Wicked Folders plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the ajax_save_state function in versions up to, and including, 2.18.16. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to invoke this function and perform actions intended for administrators such as modifying the view state of the folder structure maintained by the plugin.

CVE-2023-0684 – The Wicked Folders plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the ajax_unassign_folders function in versions up to, and including, 2.18.16. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to invoke this function and perform actions intended for administrators such as changing the folder structure maintained by the plugin.

Broken Function Level Authorization exploits

  • Horizontal privilege escalation: An attacker gains access to another user’s account and is able to perform actions on behalf of that user.

  • Vertical privilege escalation: An attacker gains higher privileges than they are authorized for, allowing them to access sensitive information or perform privileged actions.

  • Access to admin functionality: An attacker gains access to administrative functionality without being authorized to do so, allowing them to perform privileged actions.

  • Direct object reference: An attacker manipulates the parameters of an HTTP request to access resources or data that they should not have access to.

  • Forced browsing: An attacker uses a web application’s directory structure to navigate to resources or data that they should not have access to.

  • Parameter modification: An attacker manipulates the parameters of an HTTP request to modify their access level or bypass authentication or authorization checks.

  • Session fixation: An attacker forces a user’s session ID to a known value, allowing them to hijack the user’s session and access sensitive information.

  • Cookie manipulation: An attacker manipulates the values of a user’s cookies to gain unauthorized access to resources or data.

  • Insufficient authorization checks: An application does not properly check a user’s authorization level before allowing them to perform an action, allowing attackers to perform privileged actions.

  • Improper error handling: An application reveals sensitive information, such as usernames, passwords, or error messages, to attackers through error messages or debug output.

Practicing in test for Broken Function Level Authorization

  1. Identify the authentication and authorization mechanisms used by the web application. This can include user accounts, session management, access control lists, and other mechanisms that control user access to application resources.

  2. Identify the different levels of access available to users within the application. This can include different roles or permissions that control what actions a user is allowed to perform within the application.

  3. Use a combination of manual and automated testing tools to test the application for vulnerabilities related to Broken Function Level Authorization. This can include tools like Burp Suite, OWASP ZAP, and Nikto, which can help automate the process of identifying vulnerabilities in the application.

  4. Perform a thorough review of the application’s source code, looking for any weaknesses in the authentication and authorization mechanisms used by the application.

  5. Use a variety of attack techniques to try to bypass the application’s authentication and authorization checks, such as parameter tampering, session hijacking, and privilege escalation.

  6. Keep a detailed record of any vulnerabilities or weaknesses discovered during the testing process, and provide detailed recommendations for how the application’s developers can address these issues.

  7. Finally, retest the application after any changes have been made to ensure that the vulnerabilities have been properly addressed and that the application is now secure against Broken Function Level Authorization attacks.

For study Broken Function Level Authorization

OWASP Top 10: Broken Access Control: This is a comprehensive guide to the most common types of Broken Function Level Authorization vulnerabilities and how to prevent them. It provides a detailed explanation of each vulnerability, along with practical examples and remediation techniques.

Web Application Hacker’s Handbook: This is a highly regarded book on web application security that covers all aspects of testing and exploiting web applications, including Broken Function Level Authorization.

Pentester Academy: This is an online learning platform that offers courses and labs on web application security, including topics such as Broken Function Level Authorization. The labs provide hands-on experience with testing and exploiting vulnerabilities in web applications.

Burp Suite Academy: Burp Suite is a popular web application testing tool that includes features for testing Broken Function Level Authorization vulnerabilities. The Burp Suite Academy offers free online courses on how to use the tool to test web applications for security vulnerabilities.

YouTube tutorials: There are many YouTube tutorials available that provide step-by-step guidance on how to test web applications for Broken Function Level Authorization vulnerabilities. Some popular channels include HackerSploit, STÖK, and LiveOverflow.

Online communities: Joining online communities, such as the OWASP community or security-focused subreddits, can be a great way to connect with other security professionals and learn from their experiences and expertise.

Books with review of Broken Function Level Authorization

The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws, Second Edition by Dafydd Stuttard and Marcus Pinto: This book is a comprehensive guide to web application security, including Broken Function Level Authorization vulnerabilities. It covers a wide range of topics, from mapping an application’s architecture to discovering and exploiting vulnerabilities.

Breaking into Information Security: Learning the Ropes 101 by Josh More and Anthony Stieber: This book provides an overview of the different aspects of information security, including web application security and Broken Function Level Authorization. It covers basic concepts and techniques for identifying and exploiting vulnerabilities.

Web Security Testing Cookbook: Identify vulnerabilities and improve your security posture with over 140 recipes by Paco Hope and Ben Walther: This book is a practical guide to web security testing, including testing for Broken Function Level Authorization. It provides recipes for testing different aspects of web applications, along with step-by-step instructions and sample code.

Web Application Security: A Beginner’s Guide by Bryan Sullivan, Vincent Liu, and Michael Coates: This book is an introductory guide to web application security, including common vulnerabilities like Broken Function Level Authorization. It covers basic concepts and techniques for identifying and mitigating web application vulnerabilities.

Professional Penetration Testing: Creating and Operating a Formal Hacking Lab by Thomas Wilhelm: This book is a guide to setting up and running a penetration testing lab, including testing for Broken Function Level Authorization. It covers techniques for identifying and exploiting vulnerabilities, as well as how to document and report on findings.

Hacking Web Apps: Detecting and Preventing Web Application Security Problems by Mike Shema: This book provides an overview of web application security, including Broken Function Level Authorization, and covers techniques for identifying and preventing vulnerabilities. It also includes case studies and practical examples.

The Basics of Web Hacking: Tools and Techniques to Attack the Web by Josh Pauli: This book covers the basics of web hacking, including common vulnerabilities like Broken Function Level Authorization. It provides step-by-step instructions and practical examples for identifying and exploiting vulnerabilities.

Gray Hat Hacking: The Ethical Hacker’s Handbook by Allen Harper, Daniel Regalado, Ryan Linn, Stephen Sims, Branko Spasojevic, and Linda Martinez: This book covers a wide range of hacking techniques, including web application security and Broken Function Level Authorization. It provides practical guidance on identifying and exploiting vulnerabilities, as well as how to report findings ethically.

Advanced Penetration Testing: Hacking the World’s Most Secure Networks by Wil Allsopp: This book covers advanced techniques for penetration testing, including testing for Broken Function Level Authorization. It covers a wide range of topics, from reconnaissance and mapping to exploitation and post-exploitation techniques.

Hands-On Web Penetration Testing with Metasploit: Build dynamic, automated web security test suites with the Metasploit Framework by Mike McPhee: This book focuses on using the Metasploit Framework for web application penetration testing, including testing for Broken Function Level Authorization. It covers the basics of the framework, as well as more advanced techniques for identifying and exploiting vulnerabilities.

List of payloads Broken Function Level Authorization

  1. Modifying a parameter value in the URL or request body to bypass authorization checks

  2. Changing the HTTP method from GET to POST or vice versa to bypass authorization checks

  3. Trying to access resources or endpoints with incorrect or unauthorized parameters

  4. Sending requests with deliberately large values in order to test for integer overflows or buffer overflows that may allow unauthorized access

  5. Testing for insecure direct object references by modifying the object identifier in a request

  6. Trying to access functionality that should be disabled or restricted, such as administrative or debugging features

  7. Injecting code into requests to bypass authorization checks or perform unauthorized actions

  8. Attempting to execute arbitrary code or scripts by uploading files with malicious content or accessing unauthorized system files

  9. Using brute-force attacks to guess passwords or other authentication credentials

  10. Testing for session hijacking vulnerabilities by attempting to steal valid session tokens or manipulate existing sessions

How to be protected from Broken Function Level Authorization

  1. Use strong passwords and change them regularly.

  2. Implement multi-factor authentication wherever possible.

  3. Limit the number of users who have administrative privileges.

  4. Keep software up to date with the latest security patches and updates.

  5. Implement proper access controls and permissions for each user or group of users.

  6. Use secure coding practices and perform regular code reviews to identify and fix vulnerabilities.

  7. Implement intrusion detection and prevention systems to monitor for suspicious activity.

  8. Educate users on safe browsing habits and the importance of security best practices.

  9. Use encryption and secure communication protocols to protect sensitive data in transit and at rest.

  10. Perform regular security audits and penetration testing to identify and address vulnerabilities before they can be exploited.

Mitigations for Broken Function Level Authorization

  1. Implement proper access controls and permissions for each user or group of users, including limiting access to sensitive or privileged functionality.

  2. Implement multi-factor authentication wherever possible to reduce the risk of unauthorized access to sensitive information or functions.

  3. Use session management techniques such as session timeouts, secure session handling, and session revocation to prevent unauthorized access to sensitive data or functionality.

  4. Implement proper error handling and logging mechanisms to detect and respond to unauthorized access attempts or other security incidents.

  5. Use secure coding practices, including input validation and output encoding, to prevent injection attacks that could allow unauthorized access or manipulation of data.

  6. Perform regular security audits and penetration testing to identify and address vulnerabilities before they can be exploited.

  7. Train developers and system administrators on security best practices, including how to identify and mitigate Broken Function Level Authorization vulnerabilities.

  8. Use secure communication protocols, such as SSL/TLS, to protect sensitive data in transit.

  9. Implement web application firewalls or other intrusion prevention/detection systems to monitor for suspicious activity and block potential attacks.

  10. Regularly review access logs and audit trails to identify and investigate potential security incidents.

Conclusion

Broken Function Level Authorization vulnerabilities can have serious consequences for organizations and individuals, as they allow unauthorized access to sensitive data or functions that can be used for malicious purposes. These vulnerabilities can arise from improper access controls and permissions, weak authentication mechanisms, or other coding or configuration errors.

To prevent or mitigate these vulnerabilities, it is important to implement proper access controls and permissions, use strong authentication mechanisms, perform regular security audits and penetration testing, and follow secure coding practices. Additionally, organizations should educate their developers and system administrators on security best practices and stay vigilant about potential security incidents or unauthorized access attempts.

By taking these steps and staying informed about the latest security threats and vulnerabilities, organizations can better protect themselves from Broken Function Level Authorization and other security risks.

Other Services

Ready to secure?

Let's get in touch