Attack access control

From the technical point of view, logical ultra vires means that there are defects in access control . The following attacks on access control are logical ultra vires .
Request from client ,Web The application should recognize the following two points ：

• Verify user identity
• The confirmation request sequence is proposed by the user
  Based on these two points ,web The server decides whether to allow a request to perform a specific operation or access the resources it requests . Access control is an important defense mechanism for applications , Because it is responsible for making these key decisions . If there are defects in visiting Confucius , Attackers can often break through the entire application , Control its management functions and access sensitive data belonging to other users .

Concept

Access control vulnerability ： The application allows an attacker to perform an operation that the attacker is not qualified to perform
The differences between various vulnerabilities can actually be attributed to the differences in the way these core vulnerabilities are expressed , And the difference between the skills they need to use .

classification

Access control can be divided into three categories ：

• Vertical access control
• Horizontal access control
• Context sensitive access control

     Vertical access control allows different users to access different functions of the application . For example, you are CSDN Check out my article , If you don't like it , You can't take my article off the shelf , This is the authority of the administrator . In this case , Applications define ordinary users and administrators through this control
     Horizontal access control allows users to access a group of the same type 、 Extremely extensive resources . You are a CSDN user , I am also CSDN user ,, What we can do on this is the same .
     Context sensitive access control ensures that it is based on the current state of the application , Restrict user access to only allowed content . For example, in a certain process , Users need to complete multiple stages of operation , Context sensitive access control can prevent users from accessing these stages in a specified order .

If the user can access the functions or resources he does not have permission to access , It means that there are defects in access control , That is, there is a logical ultra vires loophole . There are mainly three types of attacks targeting access control , They correspond to three kinds of access control respectively ：

1. Vertical permission promotion ： A user can perform a function , But the role assigned to him does not have this permission . That is, ordinary users perform the actions of administrators
2. Increase the level of authority ： A user can view or modify resources of the same level that he is not qualified to view or modify . If you can edit my article
3. Business logic loopholes ： Users can take advantage of vulnerabilities in the application state machine to gain access to key resources . For example, users can avoid the payment steps in the shopping settlement sequence

actual combat

pikachu The level is beyond authority

The level is beyond authority , That is to use my account , Check the learning resources of your account . See Tips , A user kobe、lucy.

1. Sign in kobe account number
2. As shown in the figure above , use burpsuite Grab the bag “ Check the information ”
   
3. take kobe Change it to lucy, return lucy Information about
   

Reference resources

Almost copy 《 The classic of hacker attack and Defense Technology Web Actual combat 》