Bypassing authorization schema

• Testing for bypassing authorization schema (WSTG-ATHZ-02)

Testing

X-Original-URL and X-Rewrite-URL

See example on URL-based access control: WebSecurityAcademy (PortSwigger) – Access control vulnerabilities.

Send a Normal Request without Any X-Original-Url or X-Rewrite-Url Header.

GET / HTTP/1.1
Host: www.example.com
[...]

Send a Request with an X-Original-Url Header Pointing to a Non-Existing Resource.

GET / HTTP/1.1
Host: www.example.com
X-Original-URL: /myprecious
[...]

Send a Request with an X-Rewrite-Url Header Pointing to a Non-Existing Resource.

GET / HTTP/1.1
Host: www.example.com
X-Rewrite-URL: /myprecious
[...]

If the response for either request contains markers that the resource was not found, this indicates that the application supports the special request headers. These markers may include the HTTP response status code 404, or a “resource not found” message in the response body.

Reporting

CVSS Score v3	4.3
CVSS Vector v3	https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N&version=3.1

English

Title	APIs – Read access for unprivileged users
Description	Applications sometimes show different menus depending on the user role. For example, administrators might see menus to manage users and configurations while normal users only see menus related to their tasks. The APIs used by these different menus must also be protected against calls from unauthorized users. The application does not sufficiently protect some APIs depending on the user role.
Steps to reproduce	Test is based on WSTG-ATHZ-02 from the OWASP Security Testing Guide. Create a user with minimum privileges. Connect to the application with this user account Call APIs with this user. Include screenshots.
Remediation	It is recommended to restrict the information returned by an API based on the user role. For example, an unprivileged user could only get information on its own user account, but an administrator could get the full list of users. Another option is to return “Unauthorized” when the user should not have access. It is recommended to validate that all APIs have the appropriate permissions. Difficulty level to fix this vulnerability is assessed at “Moderate”.