Introduction
When it comes to system security, authorization testing is essential to ensure your system is safe from outside threats.
In this article, I will discuss what authorization is, main tasks of authorization, authorization strategies, and examples of authorization testing in OWASP web security.
What is Authorization
Authorization is the process of giving someone the ability to access resources. After the authentication process that verifies who the person is then the next process is authorization, so that between authentication and authorization are interconnected.
Authorization and authentication help system managers to control who has access to system resources and establish client privileges.
Main Tasks of Authorization
- Verification of user identity
Authorization verifies the identity of users to ensure that only authorized users can perform certain actions. This process usually involves authentication, which ensures that only verified users can access the system. - Providing Limited Access
Authorization limits users’ access to only those resources that are relevant and appropriate to their needs. For example, system administrators may have broader access compared to regular users, but will be restricted to certain actions to ensure system integrity. - Defining Access Rights
Authorization is also responsible for determining user access rights. This can be the right to read, write, update or delete information. This process ensures that users can only perform actions that are authorized and in accordance with their granted access rights.
Authorization Strategies
There are several authorization strategies that can be used in application development or security systems, including:
- Role based authorization: In this strategy, users are granted access rights to resources based on their role or access level. Each role has predefined access rights, and users can only access resources that are authorized for their role. For example, an administrator can have access rights to edit and delete data, while a regular user can only view the data.
- Attribute based authorization: In this strategy, access rights are granted to users based on certain attributes they possess. Attributes can be information such as location, department, or access time. With this strategy, access rights can be more flexible and can be adjusted to certain conditions, for example, users are only allowed to access certain resources when they are in the office.
- Context based authorization: In this strategy, access rights are granted based on the context or situation when the user requests access. For example, users can only access certain resources if they are in a certain location, or if they are using a certain device.
- Data based authorization: In this strategy, access rights are granted based on the data being accessed by the user. With this strategy, access rights can be customized according to the type of data being accessed. For example, a user can only read certain data, but cannot edit or delete it.
Authorization Testing
In OWASP web application security testing there is authorization testing, this test can be used as a reference whether our website or application has fulfilled the security aspects of hackers.
The testing example below uses the Burp Suite tool and refers to OWASP.
- Testing Directory Traversal File Include
Directory traversal is a web security vulnerability that allows attackers to read arbitrary files on the server running an application. This may include application code and data, credentials for back-end systems, and sensitive operating system files. In some cases, attackers may be able to write to arbitrary files on the server, allowing them to change the data or behavior of the application, and ultimately take full control of the server.
Example:
By changing the parameter value to ../../../etc/passwd, the traversal directory can be found.
2. Testing for Bypassing Authorization Schema
Authorization Schema is a set of rules and mechanisms used to determine who has access to certain data or resources in an information system. The authorization scheme ensures that only users who have the appropriate authority can access or modify such data or resources.
This kind of test focuses on verifying how the authorization schema has been implemented for each role or privilege to get access to reserved functions and resources.
Example:
The first intercept was done using Burp Suite and the results are as below.
By manipulating the URL from /download-transcript/10.txt to /download-transcript/1.txt the server gives a 200 response and displays credential data such as passwords which can be seen below, so that hackers can take over the account.
The example above is how a hacker can get into someone else’s resources by bypassing the authorization scheme.
3. Testing for Privilege Escalation
Privilege Escalation is the act of exploiting a bug, design flaw, or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from the application or user.
Example:
The example below is an example of horizontal privilege escalation, initially the hacker login using his account wiener, by changing the id parameter contained in the URL to carlos the hacker gets access as carlos.
wiener
4. Testing for Insecure Direct Object References
Insecure Direct Object References (IDOR) is a security flaw in web applications that allows attackers to access information or resources that should not be visible or accessible. This happens because the application does not properly validate access to certain objects, so an attacker can manipulate URLs or parameters to access resources that should not be accessible. IDOR can pave the way for attackers to access confidential information, modify data, or perform other illegal activities.
Although the term is different, IDOR testing can be done like testing bypassing authorization schema.
