{"id":590,"date":"2018-10-17T19:39:39","date_gmt":"2018-10-17T19:39:39","guid":{"rendered":"https:\/\/www.appservgrid.com\/paw92\/?p=590"},"modified":"2018-10-18T14:26:05","modified_gmt":"2018-10-18T14:26:05","slug":"owasp-security-shepherd-failure-to-restrict-access-solution-lsb-ls-blog","status":"publish","type":"post","link":"https:\/\/www.appservgrid.com\/paw92\/index.php\/2018\/10\/17\/owasp-security-shepherd-failure-to-restrict-access-solution-lsb-ls-blog\/","title":{"rendered":"OWASP Security Shepherd \u2013 Failure To Restrict Access Solution \u2013 LSB \u2013 ls \/blog"},"content":{"rendered":"<p><em>Am I Vulnerable To \u2018Failure to Restrict URL Access\u2019?<\/em><\/p>\n<p>The best way to find out if an application has failed to properly restrict URL access is to verify <b>every<\/b> page. Consider for each page, is the page supposed to be public or private. If a private page:<\/p>\n<ol>\n<li>Is authentication required to access that page?<\/li>\n<li>Is it supposed to be accessible to ANY authenticated user? If not, is an authorization check made to ensure the user has permission to access that page?<\/li>\n<\/ol>\n<p>External security mechanisms frequently provide authentication and authorization checks for page access. Verify they are properly configured for every page. If code level protection is used, verify that code level protection is in place for every required page. Penetration testing can also verify whether proper protection is in place.<\/p>\n<p><a href=\"https:\/\/shareasale.com\/r.cfm?b=1243539&amp;u=1803184&amp;m=59485&amp;urllink=&amp;afftrack=\" target=\"_blank\" rel=\"noopener\">Hyperledger Fabric Fundamentals (LFD271) $299<\/a><\/p>\n<p>With that in mind let\u2019s tackle the next Security Shepherd challenge \u2013 Failure To Restrict Access.<img decoding=\"async\" src=\"https:\/\/linuxsecurityblog.files.wordpress.com\/2018\/09\/ftra11.png?w=900\" alt=\"FTRA1\" \/><\/p>\n<p>Above is the screen we are presented with on Security Shepherd. It\u2019s all straight forward and what we notice straight away is that the words \u201cweb page\u201d is highlighted. When we click on it the website does nothing but it still looks like a link. We will need the developer tools in Chrome to look at the code behind it. Right click on the highlighted words and choose Inspect. This will inspect that elements HTML.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/linuxsecurityblog.files.wordpress.com\/2018\/09\/ftra31.png?w=900\" alt=\"FTRA3\" \/><\/p>\n<p>Now we can see the code a bit clearer. Notice the div 2 lines under the web page text, the style=\u201ddisplay: none\u201d. This is telling the web page not to display that element. Let\u2019s change the text shall we?<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/linuxsecurityblog.files.wordpress.com\/2018\/09\/ftra41.png?w=900\" alt=\"FTRA4\" \/><\/p>\n<p>Instead of style=\u201ddisplay: none\u201d we change it to style=\u201ddisplay: text\u201d this pops onto the screen what the developer did not want us to see. <img decoding=\"async\" src=\"https:\/\/linuxsecurityblog.files.wordpress.com\/2018\/09\/ftra52.png?w=900\" alt=\"FTRA5\" \/><\/p>\n<p>We have access to the Admin page now, this is where the key to the round resides. Click on the link and collect the key.<\/p>\n<p><a href=\"https:\/\/shareasale.com\/r.cfm?b=1193750&amp;u=1803184&amp;m=59485&amp;urllink=&amp;afftrack=\" target=\"_blank\" rel=\"noopener\">$299 REGISTERS YOU FOR OUR NEWEST SELF PACED COURSE! LFD201 \u2013 INTRODUCTION TO OPEN SOURCE DEVELOPMENT, GIT, AND LINUX!<\/a><\/p>\n<p><em>How Do I Prevent \u2018Failure to Restrict URL Access\u2019?<\/em><\/p>\n<p>Preventing unauthorized URL access requires selecting an approach for requiring proper authentication and proper authorization for each page. Frequently, such protection is provided by one or more components external to the application code. Regardless of the mechanism(s), all of the following are recommended:<\/p>\n<ol>\n<li>The authentication and authorization policies be role based, to minimize the effort required to maintain these policies.<\/li>\n<li>The policies should be highly configurable, in order to minimize any hard coded aspects of the policy.<\/li>\n<li>The enforcement mechanism(s) should deny all access by default, requiring explicit grants to specific users and roles for access to every page.<\/li>\n<li>If the page is involved in a workflow, check to make sure the conditions are in the proper state to allow access.<\/li>\n<\/ol>\n<p>Thanks for reading and don\u2019t forget to return for further OWASP Security Shepherd solutions.<\/p>\n<p>QuBits<\/p>\n<p><a href=\"https:\/\/shareasale.com\/r.cfm?b=1193747&amp;u=1803184&amp;m=59485&amp;urllink=&amp;afftrack=\" target=\"_blank\" rel=\"noopener\">REGISTER TODAY FOR YOUR KUBERNETES FOR DEVELOPERS (LFD259) COURSE AND CKAD CERTIFICATION TODAY! $499!<\/a><\/p>\n<p><a href=\"https:\/\/linuxsecurityblog.com\/2018\/09\/27\/owasp-security-shepherd-failure-to-restrict-access-solution-lsb-2\/\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Am I Vulnerable To \u2018Failure to Restrict URL Access\u2019? The best way to find out if an application has failed to properly restrict URL access is to verify every page. Consider for each page, is the page supposed to be public or private. If a private page: Is authentication required to access that page? Is &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/www.appservgrid.com\/paw92\/index.php\/2018\/10\/17\/owasp-security-shepherd-failure-to-restrict-access-solution-lsb-ls-blog\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;OWASP Security Shepherd \u2013 Failure To Restrict Access Solution \u2013 LSB \u2013 ls \/blog&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-590","post","type-post","status-publish","format-standard","hentry","category-linux"],"_links":{"self":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/590","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/comments?post=590"}],"version-history":[{"count":1,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/590\/revisions"}],"predecessor-version":[{"id":715,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/590\/revisions\/715"}],"wp:attachment":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/media?parent=590"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/categories?post=590"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/tags?post=590"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}