Testing the possibility of circumvention of the authenticity mechanism

Attempts to bypass the authenticity mechanism are intended to verify that it is possible to access resources not intended for the user in an unauthorized manner. You can use Burp Suite to test these types of errors,and the tests themselves should include checking the following:

  • attempt to bypass the authentication process by directly refering to the test resource. For example, when you sign in, the application you are testing provides the user with confidential documents to download. The pentester should check whether, knowing the direct link to the document (for example, www.faktury.pl/zbiordokumentow/faktura2018.pdf),it is unable to download it without prior authorization;
  • attempt to modify resource and session parameters. In WEB applications, it often happens that verifying whether a given user should have access to a resource is based on session parameters. Modifying these parameters may cause a low-privileged user to gain access to unauthorized data. For example, a session cookie contains admin=0. Pentester should verify that after modifying this field to admin = 1, it will not gain access to new functionalities or information.
  • attempt to predict the session ID. The value responsible for assigning a given session to a given user should not only be unique, but also unpredictable. The pentester's task is to verify that consecutively generated session IDs are characterized by sufficiently high entropy to prevent the attacker from predicting them;

In one of the applications tested, it was possible to obtain unauthorized information about users' invoices by predicting the address at which they are located: server/Media/Documents/invoices/invoice1.pdf. Finding the invoices of subsequent users of the application consisted in enumeration of the invoice number located at the end of the url.

enumeration of the invoice number at the end of the url

Chcesz wiedzieć więcej?

Zapisz się i bądź informowany o nowych postach (zero spamu!). Dodatkowo otrzymasz, moją prywatną listę 15 najbardziej przydatnych narzędzi (wraz z krótkim opisem), których używam przy testach penetracyjnych.

Nigdy nie podam, nie wymienię ani nie sprzedam Twojego adresu e-mail. W każdej chwili możesz zrezygnować z subskrypcji.

Bookmark the permalink.

Share your opinion about the article.