Web application security - the fast guide 1.1 | Page 120

Chapter 6 - Attack execution (2)
P a g e | 120
Authorization the process of giving someone permission to do or have something
it defines how access is controlled in the context of what is access by whom.
In authorization we can talk about three types of authorities:
1- Vertical authority: it is about the level of access to specific functionality
set for each type of users an example is the difference in authority
between administrator and a normal user.
2- Horizontal authority: this type of authority is about controlling the access
in the same functionality, as example having the authority to access the
web mail functionality does not mean ability to access any email account.
3- Contextual authority: this type of authority is related to current
application state which can be explained in the perspective of multistage
process where available functionalities are specified according to present
state.
attacking those concentrate accordingly on breaking the access control using
three methods:
 Vertical privilege escalation: The focus in this method is to gain higher
level of access related to more privileged type of users.
 Horizontal privileges escalation: tries to compromise resources to
which he is not entitled. For example, in web mail application to read
other people’s e-mail
 Business logic exploitation tries to exploit a flaw in the application’s
state machine to have access to an important resource. For example, a
user may be able to bypass the payment step in a shopping checkout
sequence.
Attack requirement:
A. Different privileges to different users on functionalities
B. Different privileges to different users on resources.
C. Privileged user used functionalities are in the same application containing
configuration and motoring it
Attack Process:
A. Configure Burp as a proxy and disable interception, browse all the
application’s content within one user context. If the target is to test
vertical access controls higher privileges account should be used.
B. Be sure to map all functionalities by checking Burp’s site map.
C. use the context menu to select the “compare site maps” feature.
D. To select the second site map to be compared, you can either load this
from a Burp state file or have Burp dynamically re-request the first site
map in a new session context.
E. To test horizontal access controls between users of the same type, you
can
simply
load
a
state
file
you
saved
earlier,