{% extends "./layout.html" %} {% block title %}A7-Missing Function Level Access Control{% endblock %} {% block content %}

<div class="row">

<div class="col-lg-12">

<div class="bs-example" style="margin-bottom: 40px;">

<span class="label label-danger">Exploitability: EASY</span>

<span class="label label-warning">Prevalence: COMMON</span>

<span class="label label-warning">Detectability: AVERAGE</span>

<span class="label label-warning">Technical Impact: MODERATE</span>

</div>

</div>

</div>

<div class="row">

<div class="col-lg-12">

<div class="panel panel-info">

<div class="panel-heading">

<h3 class="panel-title">Description</h3>

</div>

<div class="panel-body">

Most web applications verify function level access rights before making that functionality visible in the UI. However, applications need to perform the same access control checks on the server when each function is accessed.

</div>

</div>

<div class="panel panel-info">

<div class="panel-heading">

<h3 class="panel-title">Attack Mechanics</h3>

</div>

<div class="panel-body">

<p>If requests are not verified for access rights on server, attackers can forge requests in order to access functionality without proper authorization.</p>

<iframe width="560" height="315" src="//www.youtube.com/embed/ej6NCVd1Fo4?rel=0" frameborder="0" allowfullscreen></iframe>

<p>In the insecure demo application, this vulnerability exists in benefits module, which allows changing benefit start date for employees. The link to the benefits module is visible only to the admin user (user: admin, password: Admin_123). However, an attacker can access this module simply by logging in as any non-admin user and accessing <a id="benefits-menu-link" target="_blank" href="/benefits">benefits url</a> directly.

</div>

</div>

<div class="panel panel-info">

<div class="panel-heading">

<h3 class="panel-title">How Do I Prevent It?</h3>

</div>

<div class="panel-body">

Most web applications don’t display links and buttons to unauthorized functions, but this “presentation layer access control” doesn't actually provide protection. You must also implement checks in the controller or business logic.

</div>

</div>

<div class="panel panel-info">

<div class="panel-heading">

<h3 class="panel-title">Source Code Examples</h3>

</div>

<div class="panel-body">

In vulnerable application, there is no authorization check for benefits related routes in

<code>routes/index.js</code>

<pre>

// Benefits Page

app.get("/benefits", isLoggedIn, benefitsHandler.displayBenefits);

app.post("/benefits", isLoggedIn, benefitsHandler.updateBenefits);

</pre>

<p>This can be fixed by adding a middleware to verify user's role:</p>

<pre>

// Benefits Page

app.get("/benefits", isLoggedIn, isAdmin, benefitsHandler.displayBenefits);

app.post("/benefits", isLoggedIn, isAdmin, benefitsHandler.updateBenefits);

</pre>

<p>To implement

<code>isAdmin</code>middleware, check if isAdmin flag is set for the logged in user in database.

<br/>For example, here is middleware function that can be added to

<code>routes\session.js</code>:</p>

<pre>

this.isAdminUserMiddleware = function(req, res, next) {

if (req.session.userId) {

userDAO.getUserById(req.session.userId, function(err, user) {

if(user && user.isAdmin) {

next();

} else {

return res.redirect("/login");

}

});

} else {

console.log("redirecting to login");

return res.redirect("/login");

}

};

</pre> It can be then made available in

<code>routes/index.js</code>router as:

<pre>

var SessionHandler = require("./session");

//Middleware to check if user has admin rights

var isAdmin = sessionHandler.isAdminUserMiddleware;

</pre>

</div>

</div>

</div>

</div>

{% endblock %}