Broken Access Control with DVWA

11/9/2024

Broken Access Control is number one on the OWASP 2021 so it represents a serious risk to web applications. There are 34 common weakness enumerations associated with Broken Access Control. OWASP has a great description, example attack scenarios and mitigation strategies here.

My course in penetration testing used the Damn Vulnerable Web App for other exercises but I'll use it to illustrate examples of broken access controls. Let's spin up DVWA since its already a package for Kali Linux.

When logging in as the administrator we are presented with a button thatt says "Authorisation Bypass" that is not seen for other users. The challenge here is to access the features of this page from a non administrator account. The DVWA has three security levels low, medium, and hard. Lets attempt to exploit this for all levels.

Low Security Level

Inspecting the source code at the low security level there is actually no security enforced. I should be able to navigate to this page directly with any credential. Let's inspect the source code anyway.

The code confirms that only when the logged in account is admin that the button for Authorisation Bypass is presented. However I see that url => vulnerabilities/authbypass that I expect we can navigate to directly. Let's try it.

// Code Snippet showing the url path
if (dvwaCurrentUser() == "admin") {
        $menuBlocks[ 'vulnerabilities' ][] = array ('id' => 'authbypass','name' => 'Authorisation Bypass','url' => 'vulnerabilities/authbypass/' );
Details of the full function
Logging in as gordonb

Once logged in there is no button that takes me to the authorization bypass screen as expected, however I can navigate directly to the screen. This is one example of broken access control (or lack of any access control)

The Authorization Bypass button is not present

Success. I can access the screen and update user account names.

Broken Access Control on Low Security Level

Medium Security Level

Increasing the security level blocks us from our first exploit. If I try to navigate to the page directly I get a 403 Forbidden response. After inspecting the source code I see this exploit is now addressed. Lets use a proxy and see how we can still exploit it.

As expected sending a GET request to this endpoint presents us a 403 Forbidden Error.

DVWA Source code for medium level security.

Without inspecting the source code further I suspect these functions may be exposed if I sent a GET or POST request to them with my proxy. I can see details of the user information as a non-admin user still so the broken access control vulnerability remains.

The get_user_data.php is not protected.

Can we also modify the user details? Lets exploit the change_user_details.php function to verify. A GET request provides us with more info. A POST request is required.

The second packet I sent is a POST request, but the response informs us how to format our POST Request correctly. I'll use this to craft the final packet.

The response informs us of what information the POST Request needs to include.
200 OK Response! Note I included the required fields in the request body

Success, the user details have been changed:

The users details have been modified by us to verify the broken access control.

High Security Level

I leave this to the reader to look through. My methods used on the medium security were also successful on DVWA's High security level.

References

PreviousWelcomeNextCommand Injection with DVWA

Last updated