Showing posts with label programming. Show all posts
Showing posts with label programming. Show all posts

Monday, May 15, 2023

Application Security Risk - Broken Access Control

0 comments
Broken Access Control refers to vulnerabilities that allow unauthorized actors to gain access to sensitive information or perform actions they are not supposed to. This can be categorized into several common weaknesses:CWE-200: Exposure of Sensitive Information to an Unauthorized Actor




CWE-201: Insertion of Sensitive Information Into Sent Data
CWE-352: Cross-Site Request Forgery

  • Common causes of Broken Access Control include:Violation of the principle of least privilege or deny by default. This means that access should only be granted to specific capabilities, roles, or users, but it is instead available to anyone.
  • Bypassing access control checks by modifying the URL (parameter tampering or force browsing), internal application state, HTML pages, or by using attack tools to modify API requests.
  • Allowing the viewing or editing of someone else's account by providing its unique identifier (insecure direct object references).
  • Accessing APIs without proper access controls for POST, PUT, and DELETE operations.
  • Elevation of privilege, such as acting as a user without being logged in or acting as an admin when logged in as a regular user.
  • Manipulation of metadata, like replaying or tampering with access control tokens such as JSON Web Tokens (JWTs), cookies, or hidden fields to elevate privileges or abuse JWT invalidation.
  • Misconfiguration of Cross-Origin Resource Sharing (CORS), which allows unauthorized or untrusted origins to access APIs.
  • Force browsing to authenticated pages as an unauthenticated user or accessing privileged pages as a standard user.

Here are two scenarios that illustrate Broken Access Control vulnerabilities:

Scenario #1: The application uses unverified data in a SQL call that accesses account information:
java
pstmt.setString(1, request.getParameter("acct")); ResultSet results = pstmt.executeQuery();


An attacker can simply modify the browser's 'acct' parameter to send any account number they want. If this input is not properly verified, the attacker can access any user's account by manipulating the URL:
arduino
https://example.com/app/accountInfo?acct=notmyacct
Scenario #2: An attacker can force browse to target URLs that should be restricted to certain user roles. For example, access to the admin page requires admin rights:
ruby
https://example.com/app/getappInfo https://example.com/app/admin_getappInfo


If an unauthenticated user can access either of these pages, it indicates a flaw. Similarly, if a non-admin user can access the admin page, it is also a security vulnerability.

Prevention Measures:

  • To prevent Broken Access Control vulnerabilities, follow these best practices:Implement access control mechanisms in trusted server-side code or serverless APIs, where attackers cannot modify the access control check or metadata.
  • Except for public resources, adopt a deny-by-default approach, meaning that access is only granted to specific resources and actions.
  • Implement access control mechanisms once and reuse them consistently throughout the application. Minimize the usage of Cross-Origin Resource Sharing (CORS).
  • Ensure that access controls enforce record ownership, rather than assuming that users can create, read, update, or delete any record.
  • Enforce unique application business limit requirements using domain models.
  • Disable web server directory listing and remove sensitive file metadata (e.g., .git) and backup files from web roots.
  • Log access control failures and alert administrators when appropriate, such as in cases of repeated failures.
  • Implement rate limiting on API and controller access to mitigate harm from automated attack tools.
  • Invalidate stateful session identifiers on the server after logout. If using stateless JWT tokens, ensure they have a short lifespan to minimize the attacker's window of opportunity. For longer-lived JWTs, it is highly recommended to follow the OAuth standards for token revocation and management.

  • By following these preventive measures, you can enhance the security of your application and mitigate the risk of Broken Access Control vulnerabilities. Regular security assessments and testing should also be conducted to identify and address any potential weaknesses in access control mechanisms.

  • It is crucial to prioritize security during the development process and ensure that access controls are implemented correctly and consistently. This includes ongoing monitoring and updates as new vulnerabilities and attack techniques emerge.

  • Remember, access control is a critical aspect of protecting sensitive information and preventing unauthorized access. By implementing robust access control measures, you can significantly reduce the risk of data breaches and unauthorized activities within your application.

Read more...

Wednesday, March 1, 2023

How to show and hide text on click of a link using JavaScript

0 comments

Certainly! In this article, we'll explore how to show and hide text on click of a link using JavaScript.

Showing and hiding text is a common web development feature that can help improve the user experience of your website. By allowing users to reveal additional information only when they need it, you can keep your pages more organized and easier to read.

In this tutorial, we'll create a simple web page with a link that, when clicked, will reveal or hide additional text on the page. Here's how to get started.

Step 1: Set up the HTML

The first step is to create the basic HTML structure of our web page. We'll need an anchor tag that will serve as our "show more" button, and a div that will contain the additional text we want to show or hide.

html
<!DOCTYPE html> <html> <head> <title>Show and Hide Text on Click of Link</title> </head> <body> <a href="#" id="showMore">Show More</a> <div id="moreText" style="display: none;"> <p>This is the additional text that will be revealed when the link is clicked.</p> </div> </body> </html>

In the code above, we've created an anchor tag with an id of showMore and a div with an id of moreText. We've also added some sample text to the div to demonstrate how the feature will work.

Note that we've set the style attribute of the moreText div to display: none;. This will hide the div initially, so that the additional text is not visible when the page loads.

Step 2: Add the JavaScript

Now that we have our HTML in place, we can add the JavaScript code that will show and hide the additional text when the link is clicked. Here's the code:

javascript
<script> var link = document.getElementById('showMore'); var moreText = document.getElementById('moreText'); link.onclick = function() { if (moreText.style.display === 'none') { moreText.style.display = 'block'; link.innerHTML = 'Show Less'; } else { moreText.style.display = 'none'; link.innerHTML = 'Show More'; } return false; }; </script>

In the code above, we first use the getElementById method to get references to our anchor tag and div. We then set the onclick property of the anchor tag to a function that will run when the link is clicked.

The function checks the current display style of the moreText div. If it's set to none, meaning that the additional text is currently hidden, the function sets the display style to block to reveal the text. It also changes the text of the link to "Show Less".

If the display style is not set to none, meaning that the additional text is currently visible, the function sets the display style back to none to hide the text. It also changes the text of the link back to "Show More".

Finally, the function returns false to prevent the link from navigating to a new page when clicked.

Step 3: Test the Feature

With our HTML and JavaScript in place, we can now test the feature by opening the HTML file in a web browser and clicking the "Show More" link. Clicking the link should reveal the additional text, and change the link text to "Show Less". Clicking the link again should hide the additional text and change the link text back to "Show More".

Congratulations! You've just created a simple show/hide text feature using javascript.


Read more...

Latest Posts

Label tag

Page copy protected against web site content infringement by Copyscape
 
About Me
Info Tech provies IT tips, Applications, Blogger, Blog, Adsense ... Use Firefox to open this site!