OWASP Top 10 Deeper Dive - A8: Failure to Restrict URL Access
[highlight color="blue"]Interested in formal OWASP Top 10 Training? Check out our OWASP Top 10 Training course OWASP Top 10 Training. [/highlight]
Description: Parsing the OWASP Top Ten with a closer look at Failure to Restrict URL Access
11 courses, 8+ hours of training
11 courses, 8+ hours of training
Introduction
Per our discussion of OWASP Top 10 Tools and Tactics, we continue our closer look at each of the Top Ten with deeper analysis and specific examples of these vulnerabilities. As I continue to convey each of these deeper dives out of sequence as defined by the Top 10, let's explore #8 in the name of randomness and chaos.
Eight on the 2010 OWASP Top 10 Web Application Security Risks is:
- “Many web applications check URL access rights before rendering protected links and buttons. However, applications need to perform similar access control checks each time these pages are accessed, or attackers will be able to forge URLs to access these hidden pages anyway.”
A8: Failure to Restrict URL Access
As discussed in the parent guide for each of these deeper dives, I suggested tools to help you identify and mitigate these risks within your organization's web applications and services. For this particular discussion, I'll work through Failure to Restrict URL Access with Sensepost's Wikto given the additional features it offers beyond Nikto's functionality. We'll also discuss Shodan, a computer search engine.
Exploring Failure to Restrict URL Access
All standard web application testing caveats apply; it's always best to have permission to explore applications and sites that aren't yours.
How best to determine is a particular application is vulnerable To Failure to Restrict URL Access?
Straight from the OWASP Top Ten guidance: verify every page.
For each page, is the page supposed to be public or private? If a private page:
- Is authentication required to access that page?
- Is it supposed to be accessible to ANY authenticated user?
- If not, is an authorization check made to ensure the user has permission to access that page?
Ideally, external security mechanisms provide authentication and authorization checks for page access. It is recommended that you verify they are properly configured for every page; if code level protection is used you should verify that code level protection is in place for every required page.
Web application and penetration testing is clearly one of the best ways to verify whether proper protection is in place; here's where Shodan and Wikto come into play.
Shodan is "a search engine that lets you find specific computers (routers, servers, etc.) using a variety of filters. Some have also described it as a public port scan directory or a search engine of banners. The bulk of the data is taken from 'banners', which are meta-data the server sends back to the client. This can be information about the server software, what options the service supports, a welcome message or anything else that the client would like to know before interacting with the server"
As a result, Shodan might be useful to testers during the reconnaissance phase of a penetration testing engagement. The UI is straightforward and intuitive, and operators and filters are available as well.
As an example, imagine you're interested in discovering results for servers running Joomla in a specific country. A query such as joomla country:CN would result in Figure 1.
Shodan search results
Such results could then possibly used to feed Wikto with an IP address selected from valid Shodan findings.
Wikto (as implied by its name) is a Windows tool that is written in C# and thus requires the .NET framework.
Make sure to confirm your configuration and save it as a .wkt file for regular use. This will include defining locations for the Nikto Database and the Google Hack Database. As the default location for these files is C:Program Files (x86)SensePostWiktodatabases you'll need to run Wikto as administrator on Vista/Windows7/Windows Server 2008 when update these databases.
Once installed Wikto can be initialized via the Wikto Scan Wizard which will walk you through Target Selection, Configuration (proxy server if applicable), Confirm Settings, and an Overview. Alternatively you can use each Wikto tab as you see fit. Start with Spider and establish your target IP in the Target window along with a port if not a standard HTTP/HTTPS port. Continuing on our Joomla theme from above (now testing an approved test server), note that the Wikto Spider mined directories typical to Joomla, including /joomla and /stories as seen in Figure 2.
Wikto Spider results
Wikto is, first and foremost, a GUI for Nikto, so users can expect all related Nikto functionality. You'll find color coded severity ratings for each finding and deeper progression into the realm of discovered entities that can be classified under Failure to Restrict URL Access. Figure 3 ironically points out that perhaps /restricted. should be just that. ;-)
Wikto Nikto
The BackEnd feature set is where Wikto really shines for discovery of the Failure to Restrict URL Access issues. The BackEnd DB is provided by the Wikto developers (Sensepost) and includes a plethora of checks for directories, files, and filetypes that should not likely be left "unrestricted." Where the BackEnd tool discovers the likes of a directory such as /security as seen in Figure 4, exploration of such a finding might uncover additional issues such as "These XAMPP pages are accessible by network for everyone" as included in Figure 4. Ruh-roh, Rastro.
Wikto BackEnd
You may find the Google-related features somewhat hampered; this tool hasn't been updated in two and a half years, but it's still quite useful.
Summary
While we've explored Wikto don't forget the venerable Nikto as part of your Reconnaissance and Mapping phases of pen testing engagements. It's amazing what one can uncover with Wikto/Nikto; if the prescribed OWASP guidance is "the enforcement mechanism(s) should deny all access by default, requiring explicit grants to specific users and roles for access to every page" you'll quickly learn that more often than not, quite the opposite is default.
As always, let me know if you have questions via russ at holisticinfosec dot org.
Cheers, and good luck.
In this Series
- OWASP Top 10 Deeper Dive - A8: Failure to Restrict URL Access
- DevSecOps: Moving from “shift left” to “born left”
- What’s new in the OWASP Top 10 for 2023?
- DevSecOps: Continuous Integration Continuous Delivery (CI-CD) tools
- Introduction to DevSecOps and its evolution and statistics
- MongoDB (part 3): How to secure data
- MongoDB (part 2): How to manage data using CRUD operations
- MongoDB (part 1): How to design a schemaless, NoSQL database
- Understanding the DevSecOps Pipeline
- API Security: How to take a layered approach to protect your data
- How to find the perfect security partner for your company
- Security gives your company a competitive advantage
- 3 major flaws of the black-box approach to security testing
- Can bug bounty programs replace dedicated security testing?
- The 7 steps of ethical hacking
- Laravel authorization best practices and tips
- Learn how to do application security right in your organization
- How to use authorization in Laravel: Gates, policies, roles and permissions
- Is your company testing security often enough?
- Authentication vs. authorization: Which one should you use, and when?
- Why your company should prioritize security vulnerabilities by severity
- There’s no such thing as “done” with application security
- Understanding hackers: The insider threat
- Understanding hackers: The 5 primary types of external attackers
- Want to improve the security of your application? Think like a hacker
- 5 problems with securing applications
- Why you should build security into your system, rather than bolt it on
- Why a skills shortage is one of the biggest security challenges for companies
- How should your company think about investing in security?
- How to carry out a watering hole attack: Examples and video walkthrough
- How cross-site scripting attacks work: Examples and video walkthrough
- How SQL injection attacks work: Examples and video walkthrough
- Securing the Kubernetes cluster
- How to run a software composition analysis tool
- How to run a SAST (static application security test): tips & tools
- How to run an interactive application security test (IAST): Tips & tools
- How to run a dynamic application security test (DAST): Tips & tools
- Introduction to Kubernetes security
- Key findings from ESG’s Modern Application Development Security report
- Microsoft’s Project OneFuzz Framework with Azure: Overview and concerns
- Software maturity models for AppSec initiatives
- Best free and open source SQL injection tools [updated 2021]
- Pysa 101: Overview of Facebook’s open-source Python code analysis tool
- Improving web application security with purple teams
- Open-source application security flaws: What you should know and how to spot them
- Android app security: Over 12,000 popular Android apps contain undocumented backdoors
- 13 common web app vulnerabilities not included in the OWASP Top 10
- Fuzzing, security testing and tips for a career in AppSec
- 14 best open-source web application vulnerability scanners [updated for 2020]
- 6 ways to address the OWASP top 10 vulnerabilities
- Ways to protect your mobile applications against hacking
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Application security
Application security
Application security
DevSecOps: Continuous Integration Continuous Delivery (CI-CD) tools
Application security