Missing Function Level Access Control

This vulnerability is largely due to a flawed assumption or misconfigured access control lists. In the first case, applications will commonly modify the user interface to remove or hide elements that a user does not have access to. However, a dangerous assumption that is often made is that because a user will not have access to UI elements or links, they will not be able to invoke the hidden application functionality. However, predictable identifiers and standard naming conventions can make guessing or enumerating hidden web pages or links quite easy. If no server-side access checks are performed, an attacker can simply access these pages and potentially gain access to privileged functionality. In the second case, access control lists on the server may be misconfigured and result in a mismatch with client-side UI restrictions. This may allow functionality that is disallowed by the UI to be invoked on the server.

Website Tree Structure

Here’s the structured representation of your website's code tree:

Website/
│
├── __init__.py
├── settings.py
├── urls.py
└── wsgi.py
│
└── Exams/
    ├── __init__.py
    ├── apps.py
    ├── models.py
    ├── urls.py
    ├── views.py
    └── Templates/
        └── exams/
            ├── dashboard.html
            ├── home.html
            └── login.html

views.py

from django.contrib import messages
from django.contrib.auth import authenticate, login, logout
from django.contrib.auth.decorators import login_required
from django.core.urlresolvers import reverse
from django.http import HttpResponseRedirect
from django.shortcuts import render
from exams.models import UserLoginForm

# View method for user login
def user_login(request):
    if request.method == 'POST':
        form = UserLoginForm(request.POST)
        if form.is_valid():
            username = form.cleaned_data['username']
            password = form.cleaned_data['password']
            user = authenticate(username=username, password=password)
            if user:
                if user.is_active:
                    login(request, user)
                    messages.success(request, 'Welcome User!')
                    return HttpResponseRedirect(reverse('exams:user_home'))
                else:
                    messages.error(request, 'Incorrect credentials')
            else:
                messages.error(request, 'Please check user name and password. Try again')
        else:
            messages.info(request, 'Invalid input')
    else:
        form = UserLoginForm()
    method_context = {'form': form}
    return render(request, 'exams/login.html', method_context)

# View method for user home page post login
@login_required
def user_home(request):
    logged_in_user = request.user
    method_context = {'logged_in_user': logged_in_user}
    return render(request, 'exams/home.html', method_context)

# View method for logout user session
@login_required
def user_logout(request):
    logout(request)
    messages.success(request, 'Successfully logged out')
    return HttpResponseRedirect(reverse('exams:user_login'))

# View method for user dashboard
@login_required
def user_dashboard(request):
    dashboard = 'User '
    if 'admin' in request.GET and request.GET['admin'] == 'True':
        dashboard = 'Admin'
    return render(request, 'exams/dashboard.html', {'tag': dashboard})

dashboard.html

<!DOCTYPE html>
<html>
    <head>
        <title>Random App</title>
    </head>
    <body>
        {# Message notifications #}
        <di>
            <ul class="messages">
<div>
  <li>
<div> class="{{ message.tags }}"</div>>{{ message }}</li>
                </div>
            </ul>
</div>
        {# Message notifications end #}
        {{ tag }} Dashboard
        <br>
  	<a href="{% url 'exams:user_logout' %}">Logout</a>
    </body>
</html>

Weak Points: Access Control - Missing Function Level Access Control

User Dashboard Access Control:
- The user_dashboard view allows any logged-in user to access it. The logic that checks for the "admin" parameter does not enforce any role checks, which could expose admin functionalities to regular users. This means that if a regular user manipulates the URL to include ?admin=True, they could potentially see admin-related content.
User Home Page:
- The user_home view is accessible to any logged-in user, but it does not check if the user has the appropriate permissions to view certain content. If sensitive information is displayed here, it could be exposed to unauthorized users.
User Logout:
- The user_logout function does not verify the user's role before allowing them to log out. This could lead to situations where a user could log out another user if they have access to the session.

Steps to Reproduce the Attack Vector

Identify Vulnerable Views: Review the codebase for views that use @login_required without additional role checks.
Log in as a Regular User: Create a regular user account and log in to the application.
Access the Dashboard: Attempt to access the dashboard URL with the query parameter ?admin=True:
```
http://yourwebsite.com/dashboard?admin=True
```
Observe the Response: If the application allows access to admin-related content without proper authorization checks, it confirms the presence of a missing function level access control vulnerability.

Real-Life Examples of Similar Vulnerabilities

Facebook
Edx.
Educational Websites
Forums

PreviousRead Sensitive Information/Iterable Object Identifiers NextDirectory Traversal File Include

Last updated 10 months ago