Welcome to our Pentest Files blog series.
Each blog post will present an interesting or dangerous finding one of our testers has identified in an actual recent pen-test, so you can see the kinds of cool things our pen-testers get up to, and also to help you take steps to prevent similar vulnerabilities in your own assets.
These findings are taken from real reports, anonymised, and published with kind permission from our clients.
Target: Web application
Impact: Loss of potential upgrade revenue
Adam found that server-side security controls hadn’t been enabled in our customer’s target application, meaning he could access features which should have been reserved for paying customers.
We often find that some of our clients are relying on client-side security controls to enforce key security features.
Unfortunately for them, it’s often overlooked that client-side controls can be fully manipulated by the end users, and therefore easily bypassed.
Combining this with inadequate access control checks when calling backend API functions, a user with only a Freemium subscription to the application could access additional features which were reserved for paying customers.
While logged in as a Freemium user, during the webapp test Adam accessed the user’s account page and attempted to access a paid-for feature. A ‘paywall modal’ was displayed, seemingly preventing Adam from accessing these perks.
Crucially though, Adam was easily able to determine that this paywall modal was actually only a client-side ‘security’ measure. Client-side measures are executed, and therefore validated, by the client themselves, so the user would actually have full control over the paywall modal. They could easily bypass the normal procedure of validating the user’s subscription level via a server.
Once he disabled the paywall modal, Adam then attempted to execute one of the underlying paid-for functions, which was provided via supporting API backend. It was found that there were no ‘backed’ server-side access control checks, and therefore it was possible to make a request which should not have been possible for a Freemium user.
In fact, there were no server-side controls on any of the upgrade features, meaning that any user could access every restricted feature - whether they’d paid or not!
The ‘Golden Rule’ of application security: Never rely on client-side controls to enforce core security functions!
These can be trivially bypassed, so always make sure suitable access control checks are applied to all application functions. This way, you know for sure that the users making these requests have appropriate permissions (and are paying!) to do so.