Chapter 8  ■ Attacking Access Controls  223

simply set it in his own requests and thereby gain access to administrative

functions.

This type of access control may sometimes be difficult to detect without

actually using the application as a high-privileged user and identifying what

requests are made. The techniques described in Chapter 4 for discovering hid-

den request parameters may be successful in discovering the mechanism

when working only as an ordinary user.

In other unsafe access control models, the application uses the HTTP

Referer

header as the basis for making access control decisions. For example,

an application may strictly control access to the main administrative menu,

based on a user’s privileges. But when a user makes a request for an individ-

ual administrative function, the application may simply check whether this

request was referred from the administrative menu page and assume that, if

so, then the user must have accessed that page and so have the required priv-

ileges. This model is fundamentally broken, of course, because the 

Referer

header is completely within the control of the user and can be set to any value

at all. 

Download 5,76 Mb.

Do'stlaringiz bilan baham: