Wednesday, June 6, 2012

Failure to Restrict URL Access

OWASP Logo
Back to web application security....

The Open Web Application Security Project (OWASP) places something called "Failure to Restrict URL Access" as the ninth item on their list of the ten most prevalent security problems on the Internet today.

What is meant by the phrase is some web applications allow individuals to change the address in the web browser to access pages (or screens) they otherwise should not be allowed to see.

For example, if your dentist has a website where by you can go look up when your last appointment was and schedule a new appointment there should be a way for him (or her) or someone on their staff to go look who has set-up appointments or mark some days no appointment will be scheduled because the doctor will be out.

Those screens should only be accessible by the individuals who are employed by the dentist, and perhaps only a select few of those.

The OWASP rates this as something that offers a 'moderate' security rating. A security auditor may fail your application for corporate use altogether if this is allowed.

Even if these "administrator only" screens are password protected just finding the log-in screen by manipulating the URL it is cause for failure.

What can you do to manage this?  Plenty.

First, make sure your application makes good use of session controls. As individuals are using your online application we don't necessarily need to know who they are, but that they are there and are using the application.

Next, make sure the only way the screen will display is if the viewer is coming from an authorized link. The very bottom of the main application screen may have "Site Admin Click Here". That link should carry some kind of dynamic variable (i.e. DayOfYear) that can be used to double check the referring URL and this dynamic variable. Both must be in place in order to see the admin log in.

One thing you may want to try is running your admin screens in a 100% IFRAME. If you do that then place the snippet below atop all your admin screens. If someone accesses the screen by changing their browser address directly to that screen they will be bumped back to the main application screen.

<script type='text/javascript'>
   if(top==self)
   this.location='../../default.htm'
</script>

So this is #9 of the OWSAP Top Ten list of security problems on the Internet. We can work together to get this moved off their list as begin to focus on other things.

No comments:

Post a Comment