Ways of Improper Access Control

Abstract—This paper defines about the different ways of improper accessing of web servers, application servers and databases and the various ways of avoiding them. Also, we have covered about access control in J2EE application, broken access control and recent attacks.

Keywords—introduction, recent attacks, access control in code.

I.     Introduction

Access control is a security process that regulates the resources used by the users based on some predefined features and is a part of the AAA (Authorization Authentication, Accounting) security model [1].

A.    Authorization

It is a feature which ensures weather the user is registered and has the control to access the resource. Depending upon the request for the resource from the user. Based on this the permissions are grant to the user. There are few problems associated with these if the user is not authorized such as information exposures, denial of service, and arbitrary code execution [2].

B.    Authentication

This Authentication process always starts at the beginning of the application, before to the access permission occur check, and before any code is allowed to execute. Many systems may need different credentials to verify a user sameness. This credential will be taken in form of a passwords, which will secretly share with the individual user and with the system. There are three categories in which users can authenticated is: something the person knows, something the person is, and something the person has.

        Authentication can be divided in two types- identification and genuine authentication. In this identification it provides user information to the security system. This information will be given in the form of User ID. A confirmed user will be given to the other user entity in the system, and they will be granted some rights and acceptance to the user and user have to give proof to show his identity to the security system. This process of regulate user information by scanning user-provided information is called as Authentication [3].

C.    Accountability

 It tracks the activities that are  performed by the users .

•         Specification: incorrect privileges, permissions, ownership, etc. that can be specified for both   user or resource.

• Enforcement: It is the mechanism that contains errors that prevent from properly enforcing the specified access control requirements [4].

D.   Access Contol models

all latest systems use certain access control models to maintain and manage their security. Access control models have been grouped in classes:

    Mandatory Access Control (Mac)

    Discretionary Access Control (DAC)

    Role Based Access Control (RBAC)

    Mandatory Access Control (MAC)

Mandatory Access Control (MAC): is an access control model implemented in many operating systems such as SELinux (since kernel 2.6), FreeBSD (since 5.0), SUSE Linux, Ubuntu, Microsoft Windows (starting with Vista), etc. In this access control a security policy administrator controls the all security policy. Users do not have the ability to access the defined policy set and  grant access to restricted objects. This policy will be based on mandated regulations determined by a central authority.

Discretionary Access Control (DAC): The DAC access control model is based on identity of the users request and defined access rules that determine the permission of the allowed actions. This Access decisions are based upon given credentials to user and are subject to manipulation within specified bounds. Basically in  most  of the DAC model implementations the owner of the object can modify its permissions and transfer ownership to other objects.

Role Based Access Control (RBAC): Role-based policies access control to objects depending on the roles that user has within the system and on the rules that define access permissions for users in the given role.

      Discretionary and role-based policies contains an “Administrative policy” that defines an account for administration for accessing and  controlling the  management [5].

II.    access control in J2EE application

  In a distributed mechanism the chances of making mistakes is quite high. One solution for it is provided by accessing a bit more and checking each servlet/JSP and also by using the front door servlet for checking the control accessing. We need some information based on which analyses is done in making decisions regarding the accessing control and also by whom the accessing is carried out. One efficient way of representing this information is in the form of matrix known as “access control matrix.”

          An access control matrix consists of lists of users, groups and roles. The position of the lists of users, groups and roles is down the left-hand side, All the resources and functions are across at the top. The matrix is a quite simple way to represent fairly complicated rules and once it is finished, it should be a relatively simple matter to implement the rules which are same as described in the matrix. FNBO decided to use the standard J2EE authentication mechanisms built into JAAS, so that they will have access to role information. Keeping in mind the above things they already come up with an initial set of roles:

•         The administrative pages Administrators can be  accessed only by the Administrators.
•         All the public areas of the site   can  be accessed by  the guests.
•         Owners has the access to their accounts, move funds, and review transactions.
•         Users has the  view permission of an Owner’s account, but not it cannot make changes.
•         Planners can access the tax preparation functions sites and  financial planning.
•         Payers can use the site’s bill paying function for the payment.

They all kept within access control, which looks like this below:

The above diagram example is to show how the whole approach, but it shows that the users, capabilities, roles and assets and how we choose to rows and columns will get involved. It you are not able to get unauthorize access in your web site, then it is correctly implemented [6].

III.   broken access control

This Broken access control grant access from web application data and function to some persons but not others. These scans are executed after authentication, and says what an authorized person can be allowed to do. Access control looks like a simple error but it is difficult to implemented properly. A web apps access control module is correctly tied to the data and functions which the web site is providing. Above this users will come in more number of different groups or roles with a different capacity and rights.

      Developers will face more difficulty while implementing a web page code with complete access control mechanism. But many of this mechanism are not correctly designed, but it has evolved with that web site. In their evolved, access controls are kept in different locations all over the source code. The main step is to believe through a software access control requisite and record it in a web security approach. We sturdy suggest the apple of access control matrix to express the access control regulations. Without showing the security approach, there is no explanation of what it processes to be secure for that website. The approach should paper what kind of user will have to access the system, and what operation and data each of different of users would be given permission to access.

           The access control tool has to be kept on tested to be confident that there is no other way to crack it. This testing needs a different of accounts and repeated trying to access unofficial data or functions. (The most essential advance is to thoroughly consider an application’s access control necessities and catch it in a web application security arrangement. We emphatically suggest the utilization of an entrance control grid to characterize the entrance control rules. Without reporting the security approach, there is no meaning of being secure for that site. The strategy should record what kinds of clients can get to the framework, and what capacities and substance every one of these sorts of clients ought to be permitted to get to. The entrance control system ought to be broadly tried to make sure that there is no real way to sidestep it. This testing requires an assortment of records and broad endeavor to get to unapproved substance or capacities). Some specific access control issues include: 

1)   Insecure id’s: For papers with more than six authors: Now a days most of the web sites use different form of id or key as a process to refer to users, roles, data, object, or roles. If an attacker can guess these id’s, and the supplied values are not validated to ensure they are authorized for the current user, the attacker can exercise the access control scheme easily to see what they can authorize. Web will not depend on any id’s for Security. (Mostly websites have some standard id, key and index to reference content, roles and functions. And the attackers are well known of these kind of standard id, key and index .The provided esteems are not authorized to guarantee they are approved for the present client, the assailant can practice the entrance control conspire unreservedly to perceive what they can get to. Web applications ought not depend on the mystery of any id’s for insurance.)

2)   Mandatory Previously Browsed Access Control Checks: many web sites need user data to proceed few checks before allowing access to few URLs that are mainly in deep down in the web site. These checks must not be by passable by a user that simply skips over the page with the security check. (A Plethora of websites require users to identify and pass through some standard checks before giving access to URL. these checks are the optional so most of the users use the skip the security page).

3)   Path Traversal: With this attack requires provided similar path data (e.g., “../../target_dir/target_file”) as they are allow to share some information. this kind of attacks will try to access that is basically not straight authorizable by any others, or else in other way be denied if allowed directly. Such attacks can be submitted in URLs as well as any other input that ultimately accesses a file (i.e., system calls and shell commands).

4)   File Permission: Multiple web or servers depends on access control data given by the file system of the hidden platform. Now also almost all information is saved in backend servers, there is every time files saved locally in the web and server that will not publicly authorizable, particularly configuration files, and codes that are installed on most web and application servers. files which are particularly deliberately to give data to web users have to be noted as understandable by accessing the OS’s authorization structure, many servers will not be understandable, and very less data, if so, that will be marked executable. 

5)   Client side Caching : Now a days everyone is using personal computers in airports, schools, libraries with a shared connection. Browsers save some cache from every web page with which some attackers can be able to access the shared systems. Developers have to use different coding techniques, with HTTP headers and meta tags, so that the web pages should not save cache user’s browsers.

We can see some layers in application security that will take us in the correct enforcement of few modules of your authorization control procedure. To do parameter validation, we have to configure the components with a harsh to be successful so that it can access request will be validated. Whenever we are using this kind of component we have be careful to know correctly what access control which be given for the site security scheme, and on which our data will be accesses scheme with which that component will not deal with, so that we have to see properly in our own custom code.

For administrative functions, the primary advice is to never allow admin access by the front door of your web site if at all possible. Giving this privilege most of the organizations will not accept the risk with creating these kinds of interfaces accessible to frontage attack. If we need remote admin access is perfectly need, if remote administrator access is absolutely required, this can be capable without getting access to the front door of web page. VPN will be used to give an outside connection with the internal company network credentials from where a admin can access the web page through a secured backend connection.

Most of the application layer security segments that can aid the best possible authorization of a few parts of your entrance control plot. Once more, concerning parameter approval, to be powerful, the segment must be designed with a strict meaning of what get to demands are substantial for your site. When utilizing such a segment, you should be mindful so as to see precisely what get to control help the segment can accommodate you given your site’s security strategy, and what part of your entrance control approach that the segment can’t manage, and in this manner must be legitimately managed in your very own custom code.

For regulatory capacities, the essential suggestion is to never permit overseer access through the front entryway of your site if at all conceivable. Given the intensity of these interfaces, most associations ought not acknowledge the danger of making these interfaces accessible to outside assault. On the off chance that remote director get to is completely required, this can be expert without opening the front entryway of the site. The utilization of VPN innovation could be utilized to give an outside executive access to the inside organization (or site) arrange from which an overseer would then be able to get to the site through a secured backend association) [7].

IV.   what it can do

 Use When any of the AAA security model mechanisms are not applied or otherwise fails, attackers can compromise the security of the software by:

         Gaining elevated privileges.

         Reading otherwise restricted information.

         Executing commands.

         Bypassing implemented security mechanisms.

V.    Recent attacks

Breach at United States federal government body of Internal Revenue Service, 2015.

•          Hackers tracked the credentials and  used the credentials .

•          IRS did not have adequate access controls to prevent the ‘authenticated’ attackers to stop impersonation of  legitimate users and to avoid manipulation of  the systems.

•          The attackers had the ability to file fraudulent tax returns and by doing this they  received $50 million in government pay-outs before the attack was detected [8].

Cambridge Analytica Data Facebook Scandal.

•          They had Collection of personally identifiable information of 87 million Facebook users and reportedly a much greater number which is more than that of Cambridge Analytica which began collecting in 2014.

•          An attempt was made to influence voter opinion where data was allegedly used on behalf of politicians who hired them.

•          To solve this issue Facebook apologized later in amid public outcry which resulted in rise of stock prices.

•          At end the story ended with this moral that there was actually no access control set by Facebook prior to protect the user data [9].

•          But the way in which Cambridge Analytica collected the data was considered and called as “inappropriate”.

•          Which was later addressed by applying the typical unknown policies of GDRP.

VI.   what we should be worried about

         All application servers, web application and web servers need to be updated every time. If a web application is a static, if it is not created properly, then hackers could gain the access to small files and hack the site, or perform any other harm [10].

References

[1]      High-Tech Bridge SA(CH),“Improper Access control”,2015.[Online]. Available:https://www.htbridge.com/vulnerability/improper-access-control.html.

[2]      CWE,“Improper Authorization,”2015.[Online]”,2018.Available : https://cwe.mitre.org/data/definitions/285.html

[3]      EconomicTimes,“Authentication”,2018.[Online] :Avaiable:https://economictimes.indiatimes.com/definition/authentication.

[4]      CWE,“Improper Authorization,”2015.[Online]”,2018.Available : https://cwe.mitre.org/data/definitions/285.html.

[5]      High-Tech Bridge SA(CH),“Improper Access control”,2015.[Online]. Available:https://www.htbridge.com/vulnerability/improper-access-control.html.

[6]      Jeff Williams(Aspect security), “Access contol in  J2EE Application”,2009.[Online].Available:https://www.owasp.org/index.php/Access_Control_In_Your_J2EE_Application.

[7]      OWASP, “broken Access control”,2010.[Online].Available: https://www.owasp.org/index.php/Broken_Access_Control.

[8]      Kevin McCoy, “Cyber attack got access to over 700,000 IRS account”, 2016.[Online]. Avaiable: https://eu.usatoday.com/story/money/2016/02/26/cyber-hack-gained-access-more-than-700000-irs-accounts/80992822/

[9]      Sarah Frier, “Facebook latest breach”, 2018.[Online]. Avaiable: https://www.bloomberg.com/news/articles/2018-10-01/facebook-s-latest-breach-not-the-same-as-cambridge-analytica.

[10]   OWASP, “broken Access control”,2010.[Online].Available: https://www.owasp.org/index.php/Broken_Access_Control.