Attackers can, in some cases, get around logic put in place to 'guard'
sensitive functionality or data.
The attack may involve gaining access to and calling protected
functionality (or accessing protected data) directly, may involve subverting
some aspect of the guard's implementation, or outright removal of the guard,
if possible.
Attack Execution Flow
The attacker determines, through brute-forcing,
reverse-engineering or other similar means, the
location and logic of the guard element
The attacker then tries to determine the mechanism
to circumvent the guard.
Once the mechanism has been determined, the
attacker proceeds to access the protected
functionality
Attack Prerequisites
The Attacker must have reverse-engineered the application and its design
extensively enough to have determined that a guard element exists. This may
have been done as simply as through probing (and likely receiving too
verbose an error message) or could have involved high-brow techniques
supported by advanced reverse engineering/debugging tools.
Typical Likelihood of Exploit
Likelihood: Medium
Examples-Instances
Description
Attacker uses click-through exploration of a Servlet-based website to
map out its functionality, taking note of its URL-naming conventions and
Servlet mappings. Using this knowledge and guessing the Servlet name of
functionality they're not authorized to use, the Attacker directly
navigates to the privileged functionality arund the authorizing
single-front controller (implementing programmatic authorization
checks).
Description
Attacker reverse-engineers a Java binary (by decompiling it) and
identifies where license management code exists. Noticing that the
license manager returns TRUE or FALSE as to whether or not the user is
licensed, the Attacker simply overwrites both branch targets to return
TRUE, recompiles, and finally redeploys the binary.
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Medium
The attacker must ability to understand complex design logic as well
as possibly the ability to reverse-engineer the design and code to
determine placement and logic of guard element.
Resources Required
The attacker needs the ability to explore the application's functionality and
response to various conditions.
In cases where the guard component sits server-side, the attacker will likely
require a valid login.
In the case that guard functionality exists client-side, the attacker will
likely require reverse-engineering tools, such as a disassembler.
Probing Techniques
Attackers may confine (and succeed with) probing as simple as exploring an
application's functionality and its underlying mapping to server-side
components. It is likely that for this to succeed, the Attacker will need a
valid login.
At the other extreme, Attackers capable of reverse engineering client code
will have the ability to remove functionality or identify the whereabouts of
sensitive data through whitebox analysis, such as review of
reverse-engineered code.
OWASP Top Ten 2007 Category A10 - Failure to Restrict URL Access
Targeted
Related Vulnerabilities
Vulnerability ID
Relationship
Description
CVE-2007-0968
Unspecified vulnerability in Cisco Firewall Services Module (FWSM)
before 2.3(4.7) and 3.x before 3.1(3.1) causes the access control
entries (ACE) in an ACL to be improperly evaluated, which allows remote
authenticated users to bypass intended certain ACL protections.
CVE-2007-0802
Mozilla Firefox 2.0.0.1 allows remote attackers to bypass the Phishing
Protection mechanism by adding certain characters to the end of the
domain name, as demonstrated by the "." and "/" characters, which is not
caught by the Phishing List blacklist filter.
VU#258834
WebEOC ties privileges and roles to client-side resources. If an
attacker can access a resource directly, that attacker will be granted
all the privileges associated with that resource.
Vision and Technical Leadership provided by Cigital, Inc.
This Web site is hosted by The MITRE Corporation.
Copyright 2009, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation.
Description
