Difference between revisions of "Testing fot Privilege escalation"

From OWASP
Jump to: navigation, search
Line 7: Line 7:
 
Privilege escalation occurs when a user gets to access more resources than is normally allowed when it should have been protected from the application. This is usually conducted from a flaw in the application. The result is that the application performs actions with more privileges than intended by the application developer or system administrator.
 
Privilege escalation occurs when a user gets to access more resources than is normally allowed when it should have been protected from the application. This is usually conducted from a flaw in the application. The result is that the application performs actions with more privileges than intended by the application developer or system administrator.
  
The degree of the escalation depends on which privileges the attacker is authorized to possess and which privileges can be obtained in a successful attack. Fro example a programming error that permits a user to gain extra privilege after successful authentication limits the degree of escalation because the user is already authorized to hold some privilege. Likewise, a remote attacker gaining superuser privilege without any authentication presents a greater degree of escalation.
+
The degree of the escalation depends on which privileges the attacker is authorized to possess and which privileges can be obtained in a successful attack. For example, a programming error that permits a user to gain extra privilege after successful authentication limits the degree of escalation because the user is already authorized to hold some privilege. Likewise, a remote attacker gaining superuser privilege without any authentication presents a greater degree of escalation.
 
<br>
 
<br>
 
== Description of the Issue ==  
 
== Description of the Issue ==  

Revision as of 03:28, 23 June 2008

OWASP Testing Guide v3 Table of Contents

This article is part of the OWASP Testing Guide v3. The entire OWASP Testing Guide v3 can be downloaded here.

OWASP at the moment is working at the OWASP Testing Guide v4: you can browse the Guide here

Contents


This is a draft of a section of the new Testing Guide v3

Brief Summary


Privilege escalation occurs when a user gets to access more resources than is normally allowed when it should have been protected from the application. This is usually conducted from a flaw in the application. The result is that the application performs actions with more privileges than intended by the application developer or system administrator.

The degree of the escalation depends on which privileges the attacker is authorized to possess and which privileges can be obtained in a successful attack. For example, a programming error that permits a user to gain extra privilege after successful authentication limits the degree of escalation because the user is already authorized to hold some privilege. Likewise, a remote attacker gaining superuser privilege without any authentication presents a greater degree of escalation.

Description of the Issue


...here: Short Description of the Issue: Topic and Explanation

Black Box testing and example

Testing for Topic X vulnerabilities:
...
Result Expected:
...

Gray Box testing and example

Testing for Topic X vulnerabilities:
...
Result Expected:
...

References

Whitepapers
...
Tools
...