How does a pen tester check that an app doesn't make privileged information available to unprivileged users?

David Geer
David Geer used Ask the Experts™
on
How does a pen tester check that an app doesn't make privileged information available to unprivileged users?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2017
Commented:
By trying to access sections to which they should not have rights.
Including, but not limited to depending on where the application runs I.e. On a web, trying to add entries to the URL to make it appear .....


You need to be more detailed.
btanExec Consultant
Distinguished Expert 2018
Commented:
Auditor will ask for error log for attemots of the non privileged user accessing those sensitive information. This is the most straightforward. But pentester has to do better as ot would be a blackbox and not going throught this route of reviewing logs.

Do some first cut on open services of the system and identify which is critical system, specifically know how amd where the sensitive information are stored. Giod if you can map out logical segment of the infrastructure and the tiered architecture (web/app/db).

Do a check on the identity directory or possibly AD scan for user credential, commonly is to phished for user email account publicly available and attempt some phished email to solicit faked login to  spoof and siphon away identity login. I must say you need sanction from the user and can really stop here since the rest is just to show you know the network and you have the list of user.

Best of you can scope down the yarheted services otherwise it is too huge to say pentest based on objectives.

Ultimately, you need to find a way to get those acl off the identity store or siphon codes from the appl service to validate ACL check logic. May be easier if you know the services targeted and do a "call" on it and enumerate the expose public interfaces..
Technical Specialist
Awarded 2017
Distinguished Expert 2018
Commented:
From a database point of view, a common attack vector (still) is SQL injection which tricks server to give more information than initially intended. This can sometimes even be used to create a full dump of the DB.
btanExec Consultant
Distinguished Expert 2018
Commented:
Another area that I am thinking is weak authentication
Frequently, administrators and technicians choose weak passwords, never change the default or do not set any password at all. Manuals for most software and hardware can be easily found online, and will provide the default credentials. Internet forums and official vendor mailing lists can provide information on undocumented accounts, commonly-used passwords and frequently misconfigured accounts. Finally, many web sites document default/backdoor passwords and should be checked for every identified system.

Author

Commented:
Thank you all. I love complete answers that you can explain clearly and simply.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial