OWASP

Course
Time
4 hours 32 minutes
Difficulty
Beginner
CEU/CPE
24

Video Transcription

00:01
Hi, everyone. Welcome back to the core. So in the last video, we wrapped up our lab on XML External entities or X x e.
00:08
In this video, we're gonna talk about broken access control. Now, I just want to give you a quick reminder that for all the labs, with the exception of the Capstone one, all the labs will have a step by step guide, but that's available to download in the supplement of Resource is section. Also, all these power points are available there as well. In addition to that
00:27
carry LeBlanc who's one of the th on this particular course? We're teaching assistants. He created some awesome practice questions. So be sure to download a CZ Well, all in the supplement of resource is section.
00:40
So just a quick pre assessment question here to get us started. David was visiting his favorite website about cute kittens. I mean, like, who doesn't like that? Right
00:47
On a curiosity, he decided check of the side is vulnerable in regard to access control. So what? So we could test for broken access controls. Which one of these is not a way that he could test for broken access control
01:00
or as if he said, answer a D that is correct. So disabling Web server directory listings is actually way to help prevent against a risk of broken access, control and all the other items or ways that you can see if you're vulnerable to access control issues.
01:19
So we're learning objectives again. As usual, we talk about the risk grading. First, we'll move into, like, what is broken isis control. How do we check for it? Wasted mitigated. What kind of impact it has, etcetera, etcetera.
01:30
So the rating system here you old is you'll notice, like only one like major thing under the technical impact. So you know, again, the main thing there is since we're
01:40
using someone else's credentials in some respect, right? Like we're not having that re authenticated. Say, yeah, I am an admin. We're basically just logging in its ourselves as a user. And then we're able to go do all sorts of things, like deleting accounts, actually seeing other accounts, updating records, the leading records, all sorts of stuff.
02:00
So, as I mentioned, you know, we're not restricting the user and the situation where we have broken access control, we're not restricting the user So essentially the authenticated user. So they've authenticated. But what we're strips them are restrictions on them. It's not being properly enforced. So I may set you up and say, like, Yeah, you know,
02:20
your account will only have this access, but it's actually not being enforced by either the system for ourselves,
02:23
a cz humans.
02:27
And, as I mentioned, that could lead to things like privilege escalation. So, for example, from a regular user, I can log in as myself, and then I can escalate and pretend I'm an admin. No,
02:38
with that aspect of having that access now, it puts a risk of, you know, data as well. So you may delete my data. You may alter the data et cetera,
02:46
and then, you know, this may give you access to sensitive files, right? So if you pretend you're an admin, if you're able to get that access than now, you may back have access to a lot of intellectual property or other sensitive files for the company
03:00
so isn't prevalent. Well, yes, it's it's prevalent, mostly because it's difficult to run like automated detection, you know, and then also ah, a lot of times application developers are lacking functional testing for these particular vulnerabilities, so they may not catch everything
03:17
out the door. And again, that's why we need to get more automated tools out there. So we could make this a lot easier,
03:23
and we will probably find a lot more instances of it. Hopefully by the next will not hopefully, right? I don't want it to occur, by the way, but we may see it higher on the list the next time around. The whole lost produces a list
03:38
also, You know,
03:38
changing the http method is somewhat common by Attackers. So what That means, you know, you're changing it from, say, get versus put, you know, something like that where we're instead of us, you know, pulling information. We're pushing information. So as an attacker, we're pushing information to the Web server
03:58
and then, you know, direct our object references as well.
04:01
So how to check? So what can we do to check this stuff? How do we know we're vulnerable to it?
04:06
If we could modify the you are ill, that's that's one indication s. So if we could modify the euro l and then all of a sudden we can access you know, like an administrator Kim an administrator account or, you know, like password files or something like that. Then we definitely know that we're vulnerable to that. If we could do key changing key changing
04:25
from there. Once we've done these things, if we can escalate privileges
04:29
if you know we can Ultimate data Or, you know, even if we can change around like once we've authenticated can we change around different pages and then get authenticated at somebody else as we have changing around the different pages. So that's something else to keep in mind as well.
04:44
So the impact, you know, as I mentioned a few times, privilege escalation. So that way, you know, I I as an attacker could pretend on you. And it's killing my friend privileges because you're an administrator and I want that access.
04:58
It is a mention with the data. You know they can. They can create data. They can upload it, taken delete data, they concur, just corrupt it if they want to. So all these aspects, or why it's important for us to mitigate against this risk.
05:09
So speaking of mitigation or prevention, we want to deny by default, we also want to make sure we have proper access controller that we're using strong access control in place. We want a disabled Web server Directory listings, as I mentioned before, also log any failure. So he failed. Log in attempts, especially if they're failed. Logan attempts for like an admin account,
05:29
my cheri love those and are taking action on those
05:30
and then a value and validating Jason Webb tokens as well. There's another method that we can use.
05:39
So just a quick post assessment question here. Ways to prevent against broken isis control include all the following except
05:49
all right. So if he said cooking tampering, you are correct. So again, an attacker will be altering or tampering with the cookie to try to break in. But we would not be doing that as a defender. Rule. Try to forgive, to prevent against this.
06:04
All right, so in this video we talked about broken access control
06:08
in the next video. Where did go over our lab on broken access control So you could see what some of the topics we talked about actually look like in the real world

Up Next

OWASP

Established in 2001, the Open Web Application Security Project (OWASP) offers free security tools and resources to help organizations protect critical apps. Cybrary’s OWASP training course covers the organization’s popular “Top 10” risk assessment.

Instructed By

Instructor Profile Image
Ken Underhill
Master Instructor at Cybrary
Master Instructor