[Owasp-testing] Content for v4?

rick.mitchell at bell.ca rick.mitchell at bell.ca
Wed Apr 13 08:22:29 EDT 2011


Ya that quote seems right on the money, thanks Pavol. 

I'd be glad to author some content for this section, however/wherever it falls in TGv4.

Rick

-----Original Message-----
From: Pavol Luptak [mailto:pavol.luptak at nethemba.com] 
Sent: April 13, 2011 5:19 AM
To: Mitchell, Rick (6030318)
Cc: owasp-testing at lists.owasp.org
Subject: Re: [Owasp-testing] Content for v4?

Hi,
it's a definitely Access Control issue.

I think it's more/less covered by:

https://www.owasp.org/index.php/Testing_for_Bypassing_Authorization_Schema_%28OWASP-AZ-002%29

"Is it possible to access functions and resources that should be accessible 
to a user that holds a different role/privilege? "

I am not sure if there should be a new section, maybe we should just better
specify this specific situation.

Pavol

On Tue, Apr 12, 2011 at 08:52:46AM -0400, rick.mitchell at bell.ca wrote:
> Good morning everyone, I was browsing through v3 this morning and it occurred to me that an issue I've discovered in a number of apps recently isn't really covered by any part of v3 (please correct me if I've somehow simply missed the section).
> 
> The issue would fall under Authorization, maybe privilege escalation testing. I usually put it under a heading such as "Enforcement of User Privileges by Elements within the User's Control" when I prepare reports. Basically it boils down to developers hiding things from users or simply marking visible controls/elements as disabled and not performing any check server side for exercise of functionality.
> 
> In one example I had a ReadOnly account to an administrative interface where I could "setup" users. Since my account was ReadOnly the "Submit" or "Save" button on the user creation page was set as "Disabled". Using Firebug (or similar means) I simply removed the "Disabled" element on the button and was able to create new users since there was no check performed server side. The HTML in question was something like:
> 
> <input id="btnSave" type="submit" disabled="disabled" value="Save" name="btnSave">
> 
> I've also encountered similar situations where the following HTML was in play:
> 
> <div style="display:none;">
> 
> I'd be glad to write up some content for this when production of TG v4 content starts.
> 
> Rick
> 
> --------------------------------
> Rick Mitchell 
> 
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing

-- 
Pavol Luptak, CISSP, CEH
OWASP Slovakia chapter leader
http://www.owasp.org/index.php/Slovakia


More information about the Owasp-testing mailing list