1
00:00:00,150 --> 00:00:07,170
‫Authorization is the function of specifying access rights and privileges to resources more formally

2
00:00:07,260 --> 00:00:10,170
‫to authorize is to define and access policy.

3
00:00:10,410 --> 00:00:16,070
‫For example, human resources staff is normally authorized to access employee records.

4
00:00:16,140 --> 00:00:21,960
‫And this policy is usually formalized as access control rules during operation.

5
00:00:21,990 --> 00:00:29,820
‫The system uses the access control rules to decide whether authentication shall be granted or rejected

6
00:00:30,240 --> 00:00:31,290
‫in the application.

7
00:00:31,650 --> 00:00:37,350
‫What resources the users will be able to use is determined by the authorization process.

8
00:00:37,830 --> 00:00:43,530
‫There might be different roles in users in the application, and every role has its own access privileges.

9
00:00:44,160 --> 00:00:51,270
‫We should identify each user or role, find out the permissions given to them and try to push each user

10
00:00:51,270 --> 00:00:53,400
‫for unauthorized transactions.

11
00:00:54,150 --> 00:01:00,660
‫We try to find the weaknesses and vulnerabilities of the applications authorization mechanism and escalate

12
00:01:00,720 --> 00:01:07,020
‫our privileges when the application does not control parameters coming from the user, you can process

13
00:01:07,020 --> 00:01:09,240
‫some unauthorized operations.

14
00:01:10,290 --> 00:01:13,320
‫The scenario displayed on a slide is a true story.

15
00:01:13,830 --> 00:01:19,170
‫The user has only view permission on the product when she wants to view a product.

16
00:01:19,290 --> 00:01:23,040
‫The URL is prepared as seen on the slide by the application.

17
00:01:23,850 --> 00:01:27,870
‫Now there is a parameter named action and its value is view.

18
00:01:28,590 --> 00:01:33,000
‫What if we change the value of the parameter as delete?

19
00:01:34,910 --> 00:01:42,460
‫Privilege escalation is the act of exploiting a bug design flaw or configuration oversight in the application

20
00:01:42,470 --> 00:01:49,460
‫in order to gain elevated access to resources that are normally protected from an application or user.

21
00:01:49,910 --> 00:01:57,200
‫The result is that a user with more privileges than intended by the application can perform unauthorized

22
00:01:57,200 --> 00:02:03,510
‫actions if a normal user accesses functions or content reserved for other normal users.

23
00:02:03,530 --> 00:02:06,590
‫It's called horizontal privilege escalation.

24
00:02:06,680 --> 00:02:13,400
‫For example, internet banking user A accesses the internet bank account of User B if a lower privilege

25
00:02:13,400 --> 00:02:18,170
‫user accesses functions or content reserved for higher privilege users.

26
00:02:18,230 --> 00:02:21,260
‫That's called vertical privilege escalation.

27
00:02:21,560 --> 00:02:26,450
‫For example, internet banking user accesses site administrative functions.

28
00:02:27,350 --> 00:02:34,130
‫There are two real world privilege escalation examples in this slide and the first example the message

29
00:02:34,130 --> 00:02:36,110
‫sent to a user has an ID number.

30
00:02:36,710 --> 00:02:41,180
‫Is it a random number, or is it a number increasing regularly?

31
00:02:42,020 --> 00:02:44,690
‫Here, the next message has the next numbers ID.

32
00:02:45,290 --> 00:02:50,390
‫For instance, if the message ideas well, the next message ID will be 13.

33
00:02:50,900 --> 00:02:56,210
‫Changing the ID, we are able to read a message which is for anyone else.

34
00:02:57,360 --> 00:03:04,050
‫No matter what the ID number is, the application should perform and access control in each attempt.

35
00:03:04,470 --> 00:03:10,620
‫Now in the second example, there is a hidden field with an aim of list underscore admin and the value

36
00:03:10,620 --> 00:03:19,560
‫of F, assuming that the F is for falls changing it to T for true, we get the admin role in that application

37
00:03:20,160 --> 00:03:20,580
‫path.

38
00:03:20,580 --> 00:03:29,220
‫Traversal attack is also known as Dot Dot Slash Directory, traversal, directory climbing and backtracking.

39
00:03:29,430 --> 00:03:36,570
‫This attack aims to access files and directories that are stored outside of the Webroot folder by manipulating

40
00:03:36,570 --> 00:03:43,620
‫variables that reference files with dot dot slash sequences and its variations, or by using absolute

41
00:03:43,620 --> 00:03:44,310
‫file path.

42
00:03:44,340 --> 00:03:51,120
‫It may be possible to access arbitrary files in directories stored on the file system, including application,

43
00:03:51,120 --> 00:03:55,380
‫source code or configuration and critical system file.

44
00:03:55,530 --> 00:04:01,890
‫It should be noted that access to these files is limited by system operational access control.

45
00:04:02,490 --> 00:04:05,310
‫So let's see the attack in a real world example.

46
00:04:05,640 --> 00:04:12,120
‫While examining the application, we saw an attribute value pair with the attribute name of template.

47
00:04:12,240 --> 00:04:18,450
‫After just a few tries, we realized that there are different templates for the website, and the application

48
00:04:18,450 --> 00:04:19,890
‫decides which one to use.

49
00:04:21,060 --> 00:04:26,370
‫In the source code, it's seen that the value of the template attribute of the cookie is used as the

50
00:04:26,370 --> 00:04:35,490
‫file name directly change the template file name, but a few dot dot slash followed by cetera and password

51
00:04:35,490 --> 00:04:36,030
‫folders.

52
00:04:36,480 --> 00:04:38,430
‫Now here there are two things we should note.

53
00:04:38,610 --> 00:04:42,690
‫First, we assume that the server hosting the application is a Linux machine.

54
00:04:42,690 --> 00:04:47,790
‫Even though we don't know the operating system of the server, we can find it easily after a few attempts

55
00:04:47,790 --> 00:04:48,510
‫in this attack.

56
00:04:49,530 --> 00:04:53,940
‫The second dot dot slash brings you one folder outer.

57
00:04:54,760 --> 00:04:59,560
‫We try to reach the root folder first, then go to the, et cetera, slash password file.

58
00:05:00,070 --> 00:05:02,650
‫Redundant dot dot slashes are harmless.

59
00:05:02,890 --> 00:05:07,510
‫Which means if you send dot dot slash after you reach the root, no error is given.

60
00:05:07,930 --> 00:05:11,950
‫So you can put dot dot slashes in as many times as you want.

61
00:05:12,700 --> 00:05:18,880
‫But you see the response of the application contains password file content as well.