Title: Review RBAC Map
Project: GCPsanity
Description: The RBAC exploit allows an attacker to gain full control of a vulnerable endpoint by gaining-access/signing-up for a basic account.
Assertion
Name: Role Based Access Control (RBAC) ( 1 )
Overview: Access Control (or Authorization) is the process of granting or denying specific requests from a user, program, or process. Access control also involves the act of granting and revoking those privileges. Role Based Access Control (RBAC) is a model for controlling access to resources where permitted actions on resources are identified with roles rather than with individual subject identities. In API world, With RBAC, users are granted privilege to only execute and invoke APIs that are needed to perform their tasks. Without access control users would be allowed to invoke any APIs and perform any functions on the system.
Severity: OWASP 2019 API Top 10 ranks RBAC vulnerabilities at 5th position. And OWASP 2017 Top 10 ranks Broken Access control at the 5th position. ( 2 ) ( 3 )
Vulnerability Impact: With flawed or broken RBAC security control policy in place, The following are some of the consequences.
Attackers can take advantage of privilege escalation and perform actions not intended.
Exposure of Sensitive data to persons not authorized.
Exploitation: Exploitation requires the attacker to send legitimate API calls to the API endpoint that they should not have access to. These endpoints might be exposed to anonymous users or regular, non-privileged users. It’s easier to discover these flaws in APIs since APIs are more structured, and the way to access certain functions is more predictable (e.g., replacing the HTTP method from GET to PUT, or changing the “users” string in the URL to "admins", or changing the value of a parameter like "is_admin" from "false" to "true").
Remediation: The following techniques may be checked for ensuring RBAC is in place ( 2 ) ( 4 ) ( 5 ).
Deny all access by default, requiring explicit grants to specific roles for access to every function.
Review your API endpoints against function level authorization flaws, while keeping in mind the business logic of the application and groups hierarchy.
Make sure that all of your administrative controllers inherit from an administrative abstract controller that implements authorization checks based on the user’s group/role.
Make sure that administrative functions inside a regular controller implements authorization checks based on the user’s group and role.
Title: Review RBAC Map Project: GCPsanity Description: The RBAC exploit allows an attacker to gain full control of a vulnerable endpoint by gaining-access/signing-up for a basic account.
Assertion Name: Role Based Access Control (RBAC) ( 1 )
Overview: Access Control (or Authorization) is the process of granting or denying specific requests from a user, program, or process. Access control also involves the act of granting and revoking those privileges. Role Based Access Control (RBAC) is a model for controlling access to resources where permitted actions on resources are identified with roles rather than with individual subject identities. In API world, With RBAC, users are granted privilege to only execute and invoke APIs that are needed to perform their tasks. Without access control users would be allowed to invoke any APIs and perform any functions on the system.
Severity: OWASP 2019 API Top 10 ranks RBAC vulnerabilities at 5th position. And OWASP 2017 Top 10 ranks Broken Access control at the 5th position. ( 2 ) ( 3 )
Vulnerability Impact: With flawed or broken RBAC security control policy in place, The following are some of the consequences.
- Attackers can take advantage of privilege escalation and perform actions not intended.
- Exposure of Sensitive data to persons not authorized.
Exploitation: Exploitation requires the attacker to send legitimate API calls to the API endpoint that they should not have access to. These endpoints might be exposed to anonymous users or regular, non-privileged users. It’s easier to discover these flaws in APIs since APIs are more structured, and the way to access certain functions is more predictable (e.g., replacing the HTTP method from GET to PUT, or changing the “users” string in the URL to "admins", or changing the value of a parameter like "is_admin" from "false" to "true").Remediation: The following techniques may be checked for ensuring RBAC is in place ( 2 ) ( 4 ) ( 5 ).
- Deny all access by default, requiring explicit grants to specific roles for access to every function.
- Review your API endpoints against function level authorization flaws, while keeping in mind the business logic of the application and groups hierarchy.
- Make sure that all of your administrative controllers inherit from an administrative abstract controller that implements authorization checks based on the user’s group/role.
- Make sure that administrative functions inside a regular controller implements authorization checks based on the user’s group and role.
References:Risk: RBAC Severity: Critical API Endpoint: Environment: Master Playbook: Researcher:
QUICK TIPS
Suggestion: Remove overlapping-roles/privilege-escalations from vulnerable endpoint. Effort Estimate: 4.0 Hrs Wire Logs:
IMPORTANT LINKS
Vulnerability Details: null/8a8481a980fb156f01811cc6cf5b1fc9/details
Project:
Environment:
Scan Dashboard:
Playbook:
Coverage:
Code Sample: null/8a8481a980fb156f01811cc6cf5b1fc9/codesamples
PS: Please contact support@apisec.ai for apisec access and login issues.
--- apisec Bot ---