Why we need two logins per privilege level

By Paladion

March 1, 2007

You might have noticed the Plynt pre-test checklist requests two logins for each privilege level. Clients at times ask us why we need logins with different privileges. And why do we need two for each level, why not just one.
It's quite simple.
The threats we test for fall in two categories:

  1. Can I escalate my privileges?
  2. Can I access another account with similar privileges?

Examples for the first - escalating the privileges - are:

  • a nurse prescribing drugs, a task only doctors are authorized to
  • a bank's customer approving loans, which only a manager may do
  • an eCommerce customer setting prices, which is the privilege of the merchant

How do we try to esalate our privileges? We study the traffic patterns to the server when we login as the nurse, and then again when we login as the doctor. We figure out which requests are sent when a doctor prescribes a drug. Then we try to replay it when we login as the nurse. Can we fool the application into accepting our prescription when we login as the nurse? For all this we need sample logins at every privilege level - both as the nurse, and as the doctor.
But why two logins at each level?
That's really for the second category. In that falls threats like:

  • a nurse updating the records of patients not under her care
  • a bank's customer seeing the account details of another user
  • a shopper adding items to the shopping cart of another customer

How can we update records of patients not under my care? First, we login as Alice and study the request to update the records of a patient. Then we log in as Bob and see the exact request the browser sends when Bob updates a patient's records. We then deduce the pattern in the requests. WeI can now predict how to update the records of Carol and Dave's patients too.
See how we studied the traffic from Alice and Bob's logins to get access to Carol and Dave's. That's how we use the two logins - to figure out how an attacker might break into any other login.

Tags: Uncategorized