What is unauthorized access vulnerability

Others 2021-03-20 02:48:50 views: null

What is an unauthorized access vulnerability?

Unauthorized access (Broken Access Control, BAC for short) is a common vulnerability in web applications. Due to its wide range and great harm, OWASP ranks the second among the top ten security risks of web applications.
This vulnerability refers to a flaw in the application's authorization check, which allows the attacker to use some methods to bypass the authorization check after obtaining a low-privilege user account, access or operate other users or higher privileges. The cause of the unauthorized vulnerability is mainly because the developer over-trusted the data requested by the client when adding, deleting, modifying, and querying the data, and omitted the judgment of the authority.

Vulnerability classification

  • Horizontal unauthorized access vulnerability
    Horizontal unauthorized access is a vulnerability caused by a design flaw in "data-based access control". The unauthorized data access vulnerability caused by the server side not determining the person/department of the data when receiving the requested data for operation.

There are two accounts A and B belong to the same level of authority, A can use some methods after logging in, such as passing the ID of B to check the data of B. Is the level of unauthorized access

  • Vertical unauthorized access vulnerability Vertical unauthorized access
    is a vulnerability caused by a design flaw in "URL-based access control", also known as a privilege escalation attack.

Many systems only control the display level when performing access control. The actual back-end does not do permission verification. If a low-privilege account logs in, you can access the URL that does not have permission by guessing the URL.

Development level understanding

The above two vulnerabilities can be divided into

  • Horizontal ultra vires == data authority

  • Vertical ultra vires == menu authority

  • The key data cannot be transmitted by the front end when designing the horizontal authority.
    For example: For example, when querying orders based on order number and user id, you must add user id verification and user id can only be obtained from the backend. If your order is in order, it will be guessed. If you don’t have a user ID verification means that other people's order information will also be returned. ( Lesson learned from blood: once a colleague was fired from the company )

  • Vertical authority, most management systems are based on RBAC authority management, and authority must be allocated strictly in accordance with the authority control system.

Guess you like

Origin blog.csdn.net/a807719447/article/details/113181258
Recommended
Ranking
A quick primer on numpy basics
Two sister tease python project
Java | Multiple keywords in the replacement content are returned to the front end in red style
C ++: references
The string leetcood 1018 is a binary prefix divisible by 5
Flutter 布局组件
Java combat spingboot-redis
PMP pre-exam sprint and wrong questions sorting
ActiveMq C# Message Features: Delayed and Timed Message Delivery
DSP28377S_ copy a program from the RAM to FLASH portion DETAILS
Daily
More
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)

Code World

© 2018 codetd.com