Why we need two logins per privilege level
You might have noticed the Plynt pre-test checklist requests two logins for each privilege level. Clients at times ask us why we need logins with different privileges. And why do we need two for each level, why not just one.
It’s quite simple.
The threats we test for fall in two categories:
- Can I escalate my privileges?
- Can I access another account with similar privileges?
Examples for the first - escalating the privileges - are:
- a nurse prescribing drugs, a task only doctors are authorized to
- a bank’s customer approving loans, which only a manager may do
- an eCommerce customer setting prices, which is the privilege of the merchant
How do we try to esalate our privileges? We study the traffic patterns to the server when we login as the nurse, and then again when we login as the doctor. We figure out which requests are sent when a doctor prescribes a drug. Then we try to replay it when we login as the nurse. Can we fool the application into accepting our prescription when we login as the nurse? For all this we need sample logins at every privilege level - both as the nurse, and as the doctor.
But why two logins at each level?
That’s really for the second category. In that falls threats like:
- a nurse updating the records of patients not under her care
- a bank’s customer seeing the account details of another user
- a shopper adding items to the shopping cart of another customer
How can we update records of patients not under my care? First, we login as Alice and study the request to update the records of a patient. Then we log in as Bob and see the exact request the browser sends when Bob updates a patient’s records. We then deduce the pattern in the requests. WeI can now predict how to update the records of Carol and Dave’s patients too.
See how we studied the traffic from Alice and Bob’s logins to get access to Carol and Dave’s. That’s how we use the two logins - to figure out how an attacker might break into any other login.
Plynt provides penetration testing and code review services to clients worldwide. If you are interested, please contact us for a quote. We’ll get back to you within one working day.Add yours.closed for this post.
- June 2009
- April 2009
- March 2009
- February 2009
- January 2009
- December 2008
- November 2008
- October 2008
- September 2008
- August 2008
- July 2008
- May 2008
- April 2008
- March 2008
- January 2008
- December 2007
- November 2007
- April 2007
- March 2007
- February 2007
- January 2007
- August 2006
- July 2006
- June 2006
- May 2006
- April 2006
- March 2006
- February 2006
- November 2005
- October 2005
- September 2005
- August 2005
- July 2005
- June 2005
- May 2005
You can read full entries of Palisade Blog using an RSS reader. Use this link —