Improper Authorization [CWE-285] — The Hacktivists

Improper Authorization weakness describes improper mechanisms of user’s authorization.

Table of Content
1. Description
2. Potential impact
3. Attack patterns
4. Affected software

1. Description
………………………………

Authorization is a validation process of rights and privileges within the application. It is a part of the AAA (Authentication, Authorization, Accounting) security framework designed to ensure the integrity and safety of valuable information assets.

The goal of the authorization process is to check if the user has the right to interact with a given resource. Failure to comply may result in unauthorized access to privileged information or functionality and eventually lead to application integrity breach.

Improper authorization is a child member of Improper Access Control (CWE-285) weakness class, intended to describe security issues related to improper implementation of privileges within the application or faulty original application design.

2. Potential impact
………………………………

This vulnerability can lead to minor information disclosure to remote code execution and web application or system compromise. Depending on application design and functionality an attacker can use this weakness to access sensitive information, trigger a denial of service attack or execute code.

A real-world example of such vulnerability would be authorization bypass in admin_nodeInfo API of CPP-ethereum’s JSON-RPC (CVE-2017–12113), which allowed an attacker to send specially crafted data to JSON-RPC server then issue arbitrary RPC requests.

3. Attack patterns
………………………………

The following CAPEC patterns are related to this vulnerability:

❏ CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs
❏ CAPEC-13: Subverting Environment Variable Values
❏ CAPEC-17: Accessing, Modifying or Executing Executable Files
❏ CAPEC-39: Manipulating Opaque Client-based Data Tokens
❏ CAPEC-45: Buffer Overflow via Symbolic Links
❏ CAPEC-51: Poison Web Service Registry
❏ CAPEC-59: Session Credential Falsification through Prediction
❏ CAPEC-60: Reusing Session IDs (aka Session Replay)
❏ CAPEC-76: Manipulating Input to File System Calls
❏ CAPEC-77: Manipulating User-Controlled Variables
❏ CAPEC-87: Forceful Browsing
❏ CAPEC-104: Cross Zone Scripting
❏ CAPEC-127: Directory Indexing

Improper authorization is described as Insufficient Authorization (WASC-02) in the WASC database.

4. Affected software
………………………………

Improper authorization is a language-independent issue that may arise in any multiuser environment.

The majority of all modern web applications provide privilege separation (e.g. anonymous website visitor and website administrator).

Therefore, this issue is very common for content management systems, blogging software, frameworks, APIs, etc.

Credits: https://www.immuniweb.com/