Authorization / Bypassing Authorization Schema

Description

Bypassing Authorization Schema is an authorization vulnerability that occurs in web and API applications. It is categorized under CWE-285 (Improper Authorization) in the Common Weakness Enumeration (CWE) directory. According to the Open Web Application Security Project (OWASP) Testing Guide, this type of attack occurs when an attacker manages to access a system by bypassing the authorization layer and accesses functions or data that should not be accessible.

Risk

Bypassing Authorization Schema can lead to a medium risk security breach as the attacker can gain access to resources or data that they are not authorized to view. This can result in the attacker being able to manipulate or misuse the information.

Solution

To protect against this vulnerability, it is important to ensure that the authorization layer is correctly implemented. This means that proper authentication and authorization is in place and that any requests are checked against the authorization layer. Additionally, proper logging of requests can be used to monitor any suspicious activity.

Example

The following example is taken from CVE-2019-3484, where an authorization bypass vulnerability in the Teltonika RUT955 router allowed attackers to access the device without authentication.

GET / HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0)
Accept: */*
Accept-Language: en-US