Description

Frequently, an application only protects sensitive functionality by preventing the display of links or URLs to unauthorized users. Attackers can use this weakness to access and perform unauthorized operations by accessing those URLs directly.

Examples

The attacker simply force browses to target URLs. Consider the following URLs which are both supposed to require authentication. Admin rights are also required for access to the "admin_getappInfo" page. 

http://example.com/app/getappInfo
http://example.com/app/admin_getappInfo

If the attacker is not authenticated, and access to either page is granted, then unauthorized access was allowed. If an authenticated, non-admin, user is allowed to access the "admin_getappInfo" page, this is a flaw, and may lead the attacker to more improperly protected admin pages.

Such flaws are frequently introduced when links and buttons are simply not displayed to unauthorized users, but the application fails to protect the pages they target.

Mitigation

Preventing unauthorized URL access requires selecting an approach for requiring proper authentication and proper authorization for each page. Frequently, such protection is provided by one or more components external to the application code. Regardless of the mechanism(s), all of the following are recommended:

  • The authentication and authorization policies be role based, to minimize the effort required to maintain these policies.
  • The policies should be highly configurable, in order to minimize any hard coded aspects of the policy.
  • The enforcement mechanism(s) should deny all access by default, requiring explicit grants to specific users and roles for access to every page.
  • If the page is involved in a workflow, check to make sure the conditions are in the proper state to allow access.