-
Type:
Enhancement
-
Status: Closed
-
Priority:
High
-
Resolution: Done
-
Component/s: BenAdmin
-
Labels:None
-
Module:BenAdmin - Security
-
Reported by:Support
-
Item State:Production Complete - Closed
-
Sprint:ST Sprint 2
Vulnerability Description: The software does not perform or incorrectly performs an authorization check when a user attempts to access sensitive resources.
Impact:
Missing or inconsistent authorization controls allow users to access data or perform actions that they should not be allowed to access or execute. This can lead to a wide range of problems, including horizontal and vertical privilege escalation issues.
Praetorian identified this issue by discovering 1095-C report retrieval endpoints designed to be accessible only to a specific user. The engineer, acting as an unauthenticated user, directly navigated to those endpoints to gain unauthorized access to a user’s 1095-C zip file. This finding is demonstrated in the figure below. Additionally, the naming schemes for these files do not contain enough entropy to prevent successful guessing by an intelligent adversary. The file names are 26 characters long, with the only variation in naming being the time requested and a 4-digit identifier. The time requested could be forced by an adversary (e.g. sending a request link to a user) or predictable (e.g. many employees may request this file during tax season), and the remaining 4 digits could be determined by guessing all possible 4 digit combinations.
Recommendation
All sensitive and privileged areas of an application should implement authorization controls to prevent unauthorized access. Developers should neither assume that “hiding” sensitive areas of an application is sufficient in protecting privileged resources nor should they make authorization decisions on parameters with which a malicious user can easily tamper.
In order to prevent horizontal and vertical privilege escalation, the application should verify the following components when validating a request:
1 Subject (e.g. user or group)
2 Action (e.g. CRUD - create, read, update, delete)
3 Object (e.g. data element - account number, shopping cart ID, etc.)
Normally, the session management system of the underlying development framework will provide the necessary instrumentation for developing a solid authorization system. Once a user authenticates to a remote application, he or she is typically assigned a session identifier or token that is cryptographically secure with sufficient entropy and length. This session identifier/token is used to authenticate each user request for the duration of the transient session. When making authorization decisions, the application maps the session identifier/token to the user and his/her associated roles and privileges. Correct implementation of these components can successfully prevent both horizontal and vertical privilege escalation attacks throughout the application.
