07 Mar, 2023

Failure to Restrict Web Resources

Vulnerability Assessment as a Service (VAaaS)

Tests systems and applications for vulnerabilities to address weaknesses.

Failure to Restrict Web Resources refers to a security vulnerability where a web application fails to properly enforce access controls, allowing unauthorized users to access resources that should be restricted. This can happen due to a variety of reasons, such as incorrect configuration of access controls, flawed authentication mechanisms, or insufficient input validation. Failure to restrict web resources can lead to sensitive information leakage, data manipulation, and unauthorized actions on the application, potentially causing significant harm to users and the organization running the application.

Example of vulnerable code on different programming languages:


in Python:

				
					def view_orders(request):
    if not request.user.is_authenticated:
        return redirect('login')
    
    orders = Order.objects.all()
    return render(request, 'orders.html', {'orders': orders})

				
			

 

In this example, the view_orders function is meant to only allow authenticated users to view the orders page. However, the check for authentication is not properly enforced, as an attacker could simply craft a request with a fake authentication token to bypass the check and access the orders page. To fix this vulnerability, the function should use a more robust authentication mechanism, such as Django’s built-in authentication framework.

• in Java:

				
					public class OrderController {
    @GetMapping("/orders")
    public ResponseEntity<List<Order>> getOrders() {
        List<Order> orders = orderService.getAllOrders();
        return new ResponseEntity<>(orders, HttpStatus.OK);
    }
}

				
			

 

In this example, the getOrders method in the OrderController class allows any user to retrieve all orders without any authentication or authorization checks. An attacker could simply craft a request to access the /orders endpoint and retrieve sensitive information about all orders. To fix this vulnerability, the method should enforce appropriate access controls, such as requiring authentication and only allowing authorized users to access the orders endpoint.

• in PHP:

				
					if (!isset($_SESSION['user'])) {
    header('Location: login.php');
    exit;
}

$orders = $db->query('SELECT * FROM orders');

				
			


In this example, the PHP code checks for a valid session to ensure that the user is authenticated before querying the database for orders. However, the check for a valid session is not sufficient, as an attacker could simply craft a fake session cookie to bypass the check and access the orders page. To fix this vulnerability, the code should use a more robust authentication mechanism, such as PHP’s built-in session management or a third-party authentication library. Additionally, the code should enforce appropriate authorization checks to ensure that users can only access orders that they are authorized to view.

Examples of exploitation Failure to Restrict Web Resources

Information Disclosure:

An attacker could exploit a Failure to Restrict Web Resources vulnerability to access sensitive information that should only be accessible to authorized users. For example, if a web application allows unauthenticated users to access sensitive customer data such as names, addresses, and credit card details, an attacker could exploit the vulnerability to steal this information and use it for fraudulent purposes.

Unauthorized Access:

An attacker could exploit a Failure to Restrict Web Resources vulnerability to gain unauthorized access to parts of the web application that should only be accessible to authorized users. For example, if a web application allows unauthenticated users to access the admin panel, an attacker could exploit the vulnerability to gain full control of the web application and perform malicious actions, such as modifying data, uploading malware, or stealing user credentials.

Privilege Escalation:

An attacker could exploit a Failure to Restrict Web Resources vulnerability to escalate their privileges within the web application. For example, if a web application allows unprivileged users to access certain pages that they should not be able to access, an attacker could exploit the vulnerability to gain access to administrative pages and perform actions that they are not authorized to perform.

Denial of Service:

An attacker could exploit a Failure to Restrict Web Resources vulnerability to launch a denial of service attack against the web application. For example, if a web application allows unauthenticated users to perform resource-intensive actions, an attacker could exploit the vulnerability to overload the web server and cause it to crash or become unresponsive.

Privilege escalation techniques for Failure to Restrict Web Resources

Session hijacking:

An attacker can hijack an active user session by stealing the user’s session ID or authentication token. This can allow the attacker to impersonate the user and perform actions that they are authorized to perform, such as accessing sensitive information or performing transactions.

Parameter tampering:

An attacker can modify parameters in requests sent to the web application to bypass access controls and gain access to resources or perform actions that they are not authorized to perform. For example, an attacker could modify a URL parameter to access a restricted page or modify the parameters in a form submission to change the price of a product.

Directory traversal:

An attacker can use directory traversal techniques to bypass access controls and access files or directories that they are not authorized to access. This can be done by injecting special characters or sequences into file paths to move up or down the directory structure.

Broken object-level authorization:

If the web application does not properly enforce object-level authorization, an attacker could modify the object ID or other parameters in a request to access objects that they are not authorized to access. For example, an attacker could modify the ID parameter in a request to access a different user’s account or data.

Privilege escalation through injection attacks:

An attacker can use injection attacks, such as SQL injection or command injection, to manipulate the web application and gain elevated privileges. This can allow the attacker to execute arbitrary code, modify the database, or perform other actions that they are not authorized to perform.

General methodology and checklist for Failure to Restrict Web Resources

Methodology:

  1. Information gathering: Collect information about the web application, such as the URL, the technology stack used, and the application’s functionality.

  2. Identify the restricted resources: Determine which resources should be restricted and require authentication, such as pages, directories, or data.

  3. Test for unauthenticated access: Attempt to access the restricted resources without authentication, using techniques such as modifying the URL, using different HTTP methods, or manipulating cookies.

  4. Test for authenticated access: Attempt to access the restricted resources with different levels of authorization, such as guest, user, and administrator.

  5. Test for privilege escalation: Test for privilege escalation techniques, such as session hijacking, parameter tampering, directory traversal, and injection attacks.

  6. Test for access control bypass: Test for access control bypass techniques, such as forcing a logout, brute forcing authentication, or modifying access control rules.

  7. Report and document findings: Document any vulnerabilities found, including the steps to reproduce them and the potential impact of the vulnerability. Report the vulnerabilities to the appropriate parties, such as the web application owner or security team.

Checklist:

  1. Verify that authentication is required to access restricted resources.

  2. Test for unauthenticated access to restricted resources.

  3. Test for authenticated access to restricted resources with different authorization levels (guest, user, administrator, etc.).

  4. Test for privilege escalation techniques, such as session hijacking, parameter tampering, directory traversal, and injection attacks.

  5. Test for access control bypass techniques, such as forcing a logout, brute forcing authentication, or modifying access control rules.

  6. Test for horizontal privilege escalation, where a user gains access to resources belonging to another user with the same privilege level.

  7. Test for vertical privilege escalation, where a user gains access to resources belonging to a user with a higher privilege level.

  8. Test for privilege escalation via indirect object reference, where a user can access resources by manipulating a parameter or identifier.

  9. Test for privilege escalation via business logic flaws, where a user can access resources or perform actions by exploiting flaws in the application’s logic.

  10. Document all findings, including the steps to reproduce vulnerabilities and the potential impact of each vulnerability.

  11. Report all vulnerabilities to the appropriate parties, such as the web application owner or security team.

Tools set for exploiting Failure to Restrict Web Resources

Manual Tools:

  • Burp Suite: A popular intercepting proxy that allows users to inspect and modify web traffic, and can be used for manual testing of access control issues.

  • ZAP (Zed Attack Proxy): An open-source web application security scanner that can be used for manual testing of access control issues, among other vulnerabilities.

  • Postman: A tool for manually testing RESTful web services, including access control testing.

  • Sqlmap: A tool for detecting and exploiting SQL injection vulnerabilities, which can be used to escalate privileges and bypass access controls.

  • OWASP Mantra: A security toolkit that includes a variety of tools for manual web application testing, including access control testing.

  • Nikto: A web server scanner that can be used for manual testing of access control issues, among other vulnerabilities.

  • DirBuster: A tool for brute-forcing directories and files on a web server, which can be used for manual testing of access control issues.

  • SQLiPY: A Python-based tool for manual SQL injection testing, which can be used to escalate privileges and bypass access controls.

Automated Tools:

  • Nessus: A vulnerability scanner that can be used to automatically detect and exploit access control issues, among other vulnerabilities.

  • Acunetix: A web application vulnerability scanner that can be used to automatically detect and exploit access control issues, among other vulnerabilities.

  • OpenVAS: A network vulnerability scanner that can be used to automatically detect and exploit access control issues, among other vulnerabilities.

  • Netsparker: A web application security scanner that can be used to automatically detect and exploit access control issues, among other vulnerabilities.

  • Qualys: A cloud-based vulnerability scanner that can be used to automatically detect and exploit access control issues, among other vulnerabilities.

  • AppScan: A web application security scanner that can be used to automatically detect and exploit access control issues, among other vulnerabilities.

  • Skipfish: A web application security scanner that can be used to automatically detect and exploit access control issues, among other vulnerabilities.

  • Wapiti: A web application security scanner that can be used to automatically detect and exploit access control issues, among other vulnerabilities.

  • Grendel-Scan: A web application security scanner that can be used to automatically detect and exploit access control issues, among other vulnerabilities.

Browser Plugins:

  • Wappalyzer: A browser plugin that can be used to identify the technologies used by a web application, which can help identify potential access control issues.

  • Tamper Data: A browser plugin that allows users to modify HTTP requests and responses, which can be used for manual testing of access control issues.

  • Cookie Manager+: A browser plugin that allows users to view and modify cookies used by a web application, which can be used for manual testing of access control issues.

Average CVSS score of stack Failure to Restrict Web Resources

The CVSS (Common Vulnerability Scoring System) score of a vulnerability depends on various factors such as the impact of the vulnerability, the exploitability of the vulnerability, and the scope of the vulnerability. Therefore, it is difficult to provide an average CVSS score for the stack Failure to Restrict Web Resources as it encompasses a wide range of access control issues that can vary in severity.

However, in general, access control issues such as Failure to Restrict Web Resources are considered high severity vulnerabilities as they can allow an attacker to bypass authentication or authorization mechanisms and gain access to sensitive data or perform unauthorized actions. Depending on the specific nature of the vulnerability, the CVSS score can range from medium to critical (e.g. 4.0 to 10.0) on the CVSS scale.

It is important to note that the CVSS score is just one factor in determining the severity of a vulnerability, and organizations should also consider the impact and likelihood of exploitation when prioritizing their security efforts.

The Common Weakness Enumeration (CWE)

• CWE-285: Improper Authorization: This weakness describes the failure to properly implement access controls, including authentication, authorization, and session management.

• CWE-732: Incorrect Permission Assignment for Critical Resource: This weakness describes the

• CWE-434: Unrestricted Upload of File with Dangerous Type: This weakness describes the failure to properly validate user input when uploading files to a web application, which can lead to the upload of malicious files.

• CWE-862: Missing Authorization: This weakness describes the failure to properly authorize access to a resource or functionality, which can lead to unauthorized access or privilege escalation.

• CWE-759: Use of a One-Way Hash without a Salt: This weakness describes the use of a one-way hash function without a salt, which can lead to the discovery of the original password by an attacker.

• CWE-639: Authorization Bypass Through User-Controlled Key: This weakness describes the failure to properly validate user input when using a user-controlled key for authorization, which can lead to authorization bypass.

• CWE-710: Improper Adherence to Coding Standards: This weakness describes the failure to adhere to secure coding standards, including access control best practices.

• CWE-807: Reliance on Untrusted Inputs in a Security Decision: This weakness describes the reliance on untrusted inputs, such as user input or environment variables, in making security decisions.

• CWE-285: Improper Authorization: This weakness describes the failure to properly implement access controls, including authentication, authorization, and session management.

• CWE-426: Untrusted Search Path: This weakness describes the use of an untrusted search path when accessing files or resources, which can lead to unauthorized access or privilege escalation.

CVES related to Failure to Restrict Web Resources

• CVE-2017-16787 – The Web Configuration Utility in Meinberg LANTIME devices with firmware before 6.24.004 allows remote attackers to read arbitrary files by leveraging failure to restrict URL access.

• CVE-2016-1638 – extensions/renderer/resources/platform_app.js in the Extensions subsystem in Google Chrome before 49.0.2623.75 does not properly restrict use of Web APIs, which allows remote attackers to bypass intended access restrictions via a crafted platform app.

• CVE-2014-0053 – The default configuration of the Resources plugin 1.0.0 before 1.2.6 for Pivotal Grails 2.0.0 before 2.3.6 does not properly restrict access to files in the WEB-INF directory, which allows remote attackers to obtain sensitive information via a direct request. NOTE: this identifier has been SPLIT due to different researchers and different vulnerability types. See CVE-2014-2857 for the META-INF variant and CVE-2014-2858 for the directory traversal.

• CVE-2012-5478 – The AuthorizationInterceptor in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1 does not properly restrict access, which allows remote authenticated users to bypass intended role restrictions and perform arbitrary JMX operations via unspecified vectors.

• CVE-2012-3557 – Opera before 11.65 does not properly restrict the reading of JSON strings, which allows remote attackers to perform cross-domain loading of JSON resources and consequently obtain sensitive information via a crafted web site.

• CVE-2012-2680 – Cumin before 0.1.5444, as used in Red Hat Enterprise Messaging, Realtime, and Grid (MRG) 2.0, does not properly restrict access to resources, which allows remote attackers to obtain sensitive information via unspecified vectors related to (1) “web pages,” (2) “export functionality,” and (3) “image viewing.”

• CVE-2009-2631 – Multiple clientless SSL VPN products that run in web browsers, including Stonesoft StoneGate; Cisco ASA; SonicWALL E-Class SSL VPN and SonicWALL SSL VPN; SafeNet SecureWire Access Gateway; Juniper Networks Secure Access; Nortel CallPilot; Citrix Access Gateway; and other products, when running in configurations that do not restrict access to the same domain as the VPN, retrieve the content of remote URLs from one domain and rewrite them so they originate from the VPN’s domain, which violates the same origin policy and allows remote attackers to conduct cross-site scripting attacks, read cookies that originated from other domains, access the Web VPN session to gain access to internal resources, perform key logging, and conduct other attacks. NOTE: it could be argued that this is a fundamental design problem in any clientless VPN solution, as opposed to a commonly-introduced error that can be fixed in separate implementations. Therefore a single CVE has been assigned for all products that have this design.

• CVE-2002-2170 – Working Resources Inc. BadBlue Enterprise Edition 1.7 through 1.74 attempts to restrict administrator actions to the IP address of the local host, but does not provide additional authentication, which allows remote attackers to execute arbitrary code via a web page containing an HTTP POST request that accesses the dir.hts page on the localhost and adds an entire hard drive to be shared.

Failure to Restrict Web Resources exploits

  • Insecure Direct Object References (IDOR): This is a common vulnerability that occurs when a web application fails to properly validate user input and allows an attacker to access or modify sensitive data by directly manipulating object references.

  • Path Traversal: This is a vulnerability that occurs when a web application allows an attacker to access files outside of the intended directory by manipulating file paths or directory traversal sequences.

  • Broken Access Control: This is a broad category of vulnerabilities that occur when a web application fails to properly implement access controls, including authentication, authorization, and session management.

  • Cross-Site Request Forgery (CSRF): This is a vulnerability that occurs when a web application allows an attacker to execute unauthorized actions on behalf of a victim user by tricking the victim into clicking a malicious link or visiting a malicious website.

  • Insufficient Authorization: This is a vulnerability that occurs when a web application fails to properly implement authorization checks, allowing an attacker to gain unauthorized access to resources or perform unauthorized actions.

  • Unrestricted File Upload: This is a vulnerability that occurs when a web application allows an attacker to upload arbitrary files, which can lead to the execution of malicious code or the disclosure of sensitive information.

  • Business Logic Flaws: This is a vulnerability that occurs when a web application fails to properly implement business logic, leading to vulnerabilities such as authorization bypass, privilege escalation, or data manipulation.

  • Session Hijacking: This is a vulnerability that occurs when an attacker is able to steal or manipulate a user’s session identifier, allowing them to impersonate the user and gain unauthorized access to resources or perform unauthorized actions.

Practicing in test for Failure to Restrict Web Resources

Learn the basics: Understand what Failure to Restrict Web Resources is, how it occurs, and what the potential impact is. Familiarize yourself with common attack vectors and vulnerabilities.

Select a testing methodology: Choose a testing methodology that suits your needs and objectives. For example, you might use a manual approach, an automated tool, or a combination of both.

Identify test cases: Develop a list of test cases that covers common attack vectors and vulnerabilities related to Failure to Restrict Web Resources. This might include testing for path traversal, IDOR, insecure access controls, CSRF, and other relevant vulnerabilities.

Perform testing: Conduct testing using the test cases you have identified. Record any vulnerabilities or issues that you encounter, including the severity and impact.

Report findings: Create a report that details your findings, including the vulnerabilities you identified, their severity, and any recommendations for remediation.

Remediate issues: Work with the relevant stakeholders to remediate any identified vulnerabilities or issues. Verify that the remediation was effective and repeat testing as necessary.

Stay current: Keep up to date with new vulnerabilities and attack vectors related to Failure to Restrict Web Resources. Regularly assess and test web applications to ensure that they remain secure.

For study Failure to Restrict Web Resources

OWASP: The Open Web Application Security Project (OWASP) is a non-profit organization that provides resources and tools for web application security. They have a comprehensive guide on the Top 10 web application security risks, including Failure to Restrict Web Resources.

Web Application Hacker’s Handbook: This book by Dafydd Stuttard and Marcus Pinto is a comprehensive guide to finding and exploiting web application vulnerabilities, including Failure to Restrict Web Resources.

PortSwigger’s Web Security Academy: PortSwigger is the company behind the popular web application security tool, Burp Suite. Their Web Security Academy provides free online training on web application security, including Failure to Restrict Web Resources.

Hacker101: This is a free online training platform provided by HackerOne, a popular bug bounty platform. They offer a variety of training modules on web application security, including Failure to Restrict Web Resources.

YouTube: There are many YouTube channels that offer tutorials and training on web application security. Some popular channels include LiveOverflow, InfosecIreland, and OWASP.

Capture the Flag (CTF) competitions: Participating in CTF competitions is a great way to practice your skills in a safe and controlled environment. Many CTFs include web application security challenges that can help you develop your understanding of Failure to Restrict Web Resources.

Books with review of Failure to Restrict Web Resources

Web Application Security: A Beginner’s Guide by Bryan Sullivan and Vincent Liu – This book covers the basics of web application security, including access control, and provides practical guidance for securing web applications.

OWASP Testing Guide by OWASP – This guide provides a comprehensive framework for testing web applications for security vulnerabilities, including access control.

The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws by Dafydd Stuttard and Marcus Pinto – This book covers a wide range of web application security topics, including access control, and provides practical guidance for testing and exploiting vulnerabilities.

Professional Penetration Testing: Creating and Operating a Formal Hacking Lab by Thomas Wilhelm – This book covers the fundamentals of penetration testing, including access control testing, and provides practical guidance for setting up and running a penetration testing lab.

The Basics of Web Hacking: Tools and Techniques to Attack the Web by Josh Pauli – This book covers the basics of web hacking, including access control testing, and provides practical guidance for testing and exploiting vulnerabilities.

Real-World Bug Hunting: A Field Guide to Web Hacking by Peter Yaworski – This book provides real-world examples of web vulnerabilities, including access control issues, and provides practical guidance for finding and exploiting vulnerabilities.

Hacker’s Playbook 3: Practical Guide To Penetration Testing by Peter Kim – This book covers practical techniques for penetration testing, including access control testing, and provides guidance for building and executing effective penetration testing strategies.

Web Security Testing Cookbook by Paco Hope and Ben Walther – This book provides practical recipes for testing web application security, including access control, and provides guidance for building effective testing strategies.

Black Hat Python: Python Programming for Hackers and Pentesters by Justin Seitz – This book covers the basics of Python programming for hacking and penetration testing, including techniques for testing access control.

Gray Hat Hacking: The Ethical Hacker’s Handbook by Daniel Regalado, Shon Harris, and Allen Harper – This book provides a comprehensive guide to ethical hacking, including access control testing, and provides practical guidance for finding and exploiting vulnerabilities in web applications.

List of payloads Failure to Restrict Web Resources

  • Directory traversal payload: ../, ../../, ../../../, and so on.

  • Insecure direct object reference (IDOR) payload: changing the ID parameter in the URL to access other users’ data.

  • Authentication bypass payload: manipulating cookies, modifying HTTP headers, or using default credentials.

  • Parameter manipulation payload: changing parameters in the URL or form data to bypass access controls or perform unauthorized actions.

  • SQL injection payload: using SQL injection techniques to retrieve, modify or delete data.

  • Cross-Site Request Forgery (CSRF) payload: crafting a malicious HTML form that submits a request to the target site, exploiting the user’s existing authenticated session.

  • Remote file inclusion (RFI) payload: including remote files by manipulating user input.

  • Local file inclusion (LFI) payload: including local files by manipulating user input.

  • Path traversal payload with null byte (%00): using a null byte to bypass input validation and access files outside of the web root directory.

  • Brute force payload: attempting to guess valid usernames, passwords or other sensitive information.

How to be protected from Failure to Restrict Web Resources

  1. Implement proper access controls: Ensure that access controls are implemented correctly and restrict access to resources based on user permissions.

  2. Use proper input validation: Validate all input from users and ensure that it meets expected criteria. This can help prevent injection attacks and other types of exploitation.

  3. Sanitize output: Ensure that output is sanitized to prevent injection attacks and other types of exploitation.

  4. Implement secure session management: Implement proper session management to ensure that users are properly authenticated and that their sessions are secure.

  5. Follow secure coding practices: Use secure coding practices when developing web applications, such as avoiding hard-coded passwords, using prepared statements to prevent SQL injection, and encrypting sensitive data.

  6. Keep software up to date: Keep all software used in the web application up to date with the latest security patches and updates.

  7. Conduct regular security assessments: Regularly conduct security assessments of web applications to identify vulnerabilities and take action to remediate them.

  8. Use a web application firewall (WAF): Use a WAF to help protect against known vulnerabilities and to block attacks.

  9. Educate users: Educate users on safe web browsing practices and encourage them to use strong passwords and to report any suspicious activity.

Conclusion

Failure to Restrict Web Resources is a common web application security vulnerability that can lead to unauthorized access and exposure of sensitive information. It can occur when an application does not properly restrict access to its resources, allowing unauthorized users to access data or perform actions that they should not be able to.

To prevent this type of vulnerability, it is important to implement proper access controls, use proper input validation and output sanitization, implement secure session management, follow secure coding practices, keep software up to date, conduct regular security assessments, use a web application firewall (WAF), and educate users on safe web browsing practices.

Mitigations for this vulnerability are mainly centered around implementing proper access controls, and ensuring that inputs are validated and outputs are sanitized. By following these best practices, web applications can be better secured against Failure to Restrict Web Resources vulnerabilities and other types of attacks.

Other Services

Ready to secure?

Let's get in touch