Testing for Bypassing Authorization Schema (OWASP-AZ-002)

https://www.owasp.org/index.php/Testing_for_Bypassing_Authorization_Schema_(OWASP-AZ-002)

Brief Summary

This kind of test focuses on verifying how the authorization schema has been implemented for each role/privilege to get access to reserved functions/resources.

此类测试主要测试认证框架对每个角色/权限访问预留函数/资源的实现情况。

Description of the Issue

For every specific role the tester holds during the assessment, for every function and request that the application executes during the post-authentication phase, it is necessary to verify:

在评估时，对测试者拥有的某个角色，在认证后对程序执行的每个函数或请求，进行一下验证：

• Is it possible to access that resource even if the user is not authenticated?
• 用户不被授权是否可以访问某个资源？
  
• Is it possible to access that resource after the log-out?
• 退出登录后用户是否还可以访问资源？
  
• Is it possible to access functions and resources that should be accessible to a user that holds a different role/privilege?
• 对拥有不同角色/权限的用户是否可以访问为其他角色/权限分配的函数或者资源？
  

Try to access the application as an administrative user and track all the administrative functions.

使用管理员用户访问应用程序并跟踪管理员的所有函数。

• Is it possible to access administrative functions also if the tester is logged as a user with standard privileges?
• 如测试者使用具有标准权限的用户登录，是否可以访问管理员函数？
  
• Is it possible to use these administrative functions as a user with a different role and for whom that action should be denied?
• 对不应该访问管理员函数的用户是否可以访问管理员函数？
  

Black Box testing and example

Testing for access to administrative functions 
For example, suppose that the 'AddUser.jsp' function is part of the administrative menu of the application, and it is possible to access it by requesting the following URL:

例如，如果AddUser.jsp函数是应用程序的管理员菜单，查看通过下列URL是否可以访问：

 https://www.example.com/admin/addUser.jsp 

Then, the following HTTP request is generated when calling the AddUser function:

POST /admin/addUser.jsp HTTP/1.1
Host: www.example.com
[other HTTP headers]

userID=fakeuser&role=3&group=grp001

What happens if a non-administrative user tries to execute that request? Will the user be created? If so, can the new user use her privileges?

如果非管理员用户执行这个请求会产生什么效果？是否新用户会被创建？如果这样，是否新用户拥有权限？

Testing for access to resources assigned to a different role 
Analyze, for example, an application that uses a shared directory to store temporary PDF files for different users. Suppose that documentABC.pdf should be accessible only by the user test1 with roleA. Verify if user test2 with roleB can access that resource. 

例如，应用程序使用共享目录为不同的用户存储临时PDF文件，假设ABC.pdf应该仅能被具有roleA权限的test1访问，验证具有roleB权限的test2是否也可以访问。