The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

Any useful application needs to be managed and administered, and this facil-

ity often forms a key part of the application’s security mechanisms, providing

a way for administrators to manage user accounts and roles, access monitoring

and audit functions, perform diagnostic tasks, and configure aspects of the

application’s functionality.

In many applications, administrative functions are implemented within the

application itself, accessible through the same web interface as its core nonse-

curity functionality, as shown in Figure 2-8. Where this is the case, the admin-

istrative mechanism represents a critical part of the application’s attack

surface. Its primary attraction for an attacker is as a vehicle for privilege esca-

lation, for example:

■■

Weaknesses in the authentication mechanism may enable an attacker

application.

■■

Many applications do not implement effective access control of some of

ing a new user account with powerful privileges.