Relying on frontend controls for access management can lead to attackers gaining excessive privileges.

HALOCK Security Labs Web Application Penetration Testing can fully identify and evaluate web application vulnerabilities. There are a variety of ways to exploit a web application to retrieve sensitive data. In a recent client engagement, HALOCK Security Team identified a critical vulnerability by exploiting improper access control on API endpoints.

All HALOCK Security Labs penetration tests are performed with consent in controlled environments.

How did this exploit work?

The attacker used a man-in-the-middle proxy to monitor requests and responses between the client’s web browser and the web application. The web application in question relied on authentication to verify users before granting access to the backend API. Each request required an authentication header, which ensured that only authenticated users could access the application data. However, HALOCK discovered the backend API endpoints failed to implement Authorization.

Authorization involves ensuring that the user submitting the request has the appropriate permissions to make requests or modify specific data. In this case, the backend API endpoints did not verify whether a user had the correct permissions to perform certain actions.

HALOCK observed that one of the first API requests made by the application was used to retrieve the user’s permissions, which influenced how the user interface (UI) was displayed. For example, a low-privileged user would not see administrative options in the UI.

The developers likely believed that users would only interact with the UI components visible to them based on their role. However, this assumption overlooked a critical flaw: the API should not trust the frontend to enforce access control. Users could potentially manipulate requests to the backend API directly, bypassing the UI restrictions.

Without Authorization checks on the backend, any authenticated user could send requests to sensitive API endpoints meant for administrators. Because of this, HALOCK was able to retrieve and edit data beyond what the user’s authorized role should have allowed, such as reading and editing user accounts.

What did we learn and how can this type of exploitation be prevented?

Situations like this can occur when the Defense in Depth model is not followed. Defense in Depth is a cybersecurity strategy that employs multiple layers of protection to defend against threats and mitigate the impact of a single weakness.

For web applications, an example of using Defense in Depth would be to implement measures that protect the network using multiple safeguards, including:

  • Firewall: Blocks unauthorized access
  • Web Application Firewall (WAF): Filters malicious traffic targeting the application
  • HTTPS: Encrypts data in transit
  • Authentication: Enforces strong passwords and MFA
  • Code Security: Implements input validation and mitigates common vulnerabilities like SQL injection
  • Authorization: Verify the requested action is approved for that user

In the client engagement mentioned above, the vulnerability stemmed from a lack of authorization controls at the API endpoints. The absence of a compensating defense left the system vulnerable to unauthorized access and manipulation.

Key Principles of Defense in Depth

  1. Layered Security: Combines different tools and practices to create overlapping protections
  2. Redundancy: Multiple defenses for the same asset reduces the risk of compromise
  3. Diversity: Using different types of security measures reduces vulnerabilities to a single type of attack

This engagement highlighted the importance of not relying solely on frontend controls for access management. API endpoints should always enforce both authentication and Authorization to ensure that users can only access data and perform actions they are authorized to do.

Paul – Web Application Testing