Often there is a simple solution to avoid vulnerabilities. SQL injections can be avoided by using a secure library for making SQL queries. XML External Entity (XXE) can be avoided by securely initializing the XML processor. And numerous other examples.


However, access control is not included in this group. Application access control is usually not particularly difficult, but it is incredibly easy to make one critical mistake and jeopardize the security of the entire application. Problems related to access control are also easy for an attacker to find and exploit.


Identification refers to the process of requesting some form of identification information from the user, such as a username and password, which can be used to verify that the user is who they claim to be.

Session management refers to the process of securely transporting the user's identity between the browser and the server once the user has been authenticated, so that the user does not have to enter their username and password again every time they click on something on the page.


Access control, or authorization, refers to the process when an application makes a decision whether a certain user is allowed to do/see something or not.


The following examples are access control decisions:

It is important to remember that the user of the application is not limited to the application's user interface. The application user is limited to the HTTP interface provided by the application, and a user interface has been created to facilitate its use.


This means that it is extremely important for the application to take care of access control on the server, not just on the client side. It does not matter for access control purposes what menus are visually selectable in the application. The only thing that matters is what the code on the server does with the HTTP request that comes from the user.

Open the application and try to make a bank transfer. You can find IBAN addresses to which transfers can be made on the "Contacts" tab. What does the HTTP request look like? Can you select an IBAN number as the sender of the bank transfer that does not belong to you from the user interface? What if you try to change the number directly in the HTTP request?

In this lab, you get to practice bypassing access control, when the application mistakenly relies solely on the access control in the visible user interface.

A bank robbery

Because the possibility of human error in access control controls is so high, it is important that the functionality of access control is tested in unit and integration tests. For example:

Can the operation be performed if the user has not authenticated at all?

Can the operation be performed if logged in as a user who should not have access to the information?

Can the operation be performed if logged in with a user who should not have permissions for the operation?

Koska pääsynhallintakontrolleissa inhimillisen virheen mahdollisuus on niin suuri, on tärkeää että yksikkö- ja integraatiotesteissä testataan pääsynhallinnan toimivuus. Esim: 

Pystyykö toiminnon suorittamaan jos ei ole tunnistautunut lainkaan?

Pystyykö toiminnon suorittamaan jos on kirjautunut käyttäjällä jolla ei pitäisi olla oikeuksia tietoon?

Pystyykö toiminnon suorittamaan jos on kirjautunut käyttäjällä jolla ei pitäisi olla oikeuksia toimintoon?

Test your access control!

Testaa pääsynhallintakontrollisi!

## Challenging problem

Often there is a simple solution to avoid vulnerabilities. SQL injections can be avoided by using a secure library for making SQL queries. XML External Entity (XXE) can be avoided by securely initializing the XML processor. And numerous other examples.

However, access control is not included in this group. Application access control is usually not particularly difficult, but it is incredibly easy to make one critical mistake and jeopardize the security of the entire application. Problems related to access control are also easy for an attacker to find and exploit.

---

## What is access management?

Identification refers to the process of requesting some form of identification information from the user, such as a username and password, which can be used to verify that the user is who they claim to be.

Session management refers to the process of securely transporting the user's identity between the browser and the server once the user has been authenticated, so that the user does not have to enter their username and password again every time they click on something on the page.

Access control, or authorization, refers to the process when an application makes a decision whether a certain user is allowed to do/see something or not.

The following examples are access control decisions:

- Can user X see user X's information?
- Can user X delete user Y's data?
- Can user X use function Y?

---

## Appearance can be deceiving

It is important to remember that the user of the application is not limited to the application's user interface. The application user is limited to the HTTP interface provided by the application, and a user interface has been created to facilitate its use.

This means that it is extremely important for the application to take care of access control on the server, not just on the client side. It does not matter for access control purposes what menus are visually selectable in the application. The only thing that matters is what the code on the server does with the HTTP request that comes from the user.

---

## Exercise

Open the application and try to make a bank transfer. You can find IBAN addresses to which transfers can be made on the "Contacts" tab. What does the HTTP request look like? Can you select an IBAN number as the sender of the bank transfer that does not belong to you from the user interface? What if you try to change the number directly in the HTTP request?

@exercise 78a32f9fea38

@embed 185b9c4b57e5


Koska pääsynhallintakontrolleissa inhimillisen virheen mahdollisuus on niin suuri, on tärkeää että yksikkö- ja integraatiotesteissä testataan pääsynhallinnan toimivuus. Esim: 

- Pystyykö toiminnon suorittamaan jos ei ole tunnistautunut lainkaan?
- Pystyykö toiminnon suorittamaan jos on kirjautunut käyttäjällä jolla ei pitäisi olla oikeuksia tietoon?
- Pystyykö toiminnon suorittamaan jos on kirjautunut käyttäjällä jolla ei pitäisi olla oikeuksia toimintoon?

Access control - Often the Weakest Link in Application Security

Development is developing and thanks to modern application frameworks, traditional injection vulnerabilities or authentication problems are constantly being seen less and less. However, there is one thing that seems to always remain as difficult to implement safely, and that is the access control of a complex application.

Development is evolving and thanks to modern application frameworks, traditional injection vulnerabilities or authentication problems are seen less and less frequently. However, one thing that always seems to remain equally difficult to implement securely is complex application access control.

Access control - Often the Weakest Link in Application Security

Challenging problem

Learn to hack — start here