Learn how a missing authorization check led to unauthorized access to internal resources and how to fix it with authentication best practices. In this blog post, we delve into a common security incident where a lack of proper authorization checks led to unauthorized users gaining view and edit access to an internal third-party resource. While doing reconnaissance for subdomain enumeration, found one internal subdomain (useful for only internal team tracking purposes) hosted live carrying the upcoming tasks and daily updates for internal employees which was assumed to be secure but found to be more vulnerable. However, the absence of authentication mechanisms allowed anyone with knowledge of the subdomain's URL to access and manipulate the internal content.

Table of Contents

1. The Security Vulnerability: Missing Authorization in Internal Resources
2. The Impact: Unauthorized Access and Data Modification
3. How to Secure Internal Resources with Authentication and Authorization

‍

The Security Vulnerability: Missing Authorization in Internal Resources

The internal subdomain had a static page with daily updates noted in a calendar in which employees could add their daily tasks and embed links for Jira tickets, Figma projects, etc. This security misconfiguration leads to missing authorization checks on the Figma panel. While the panel was located on an internal subdomain, it was not adequately protected by authentication measures.

Discovery

On visiting all pages in the respective subdomain (calendar.redacted.com) found multiple URLs having Jira tickets for regular updates and tracking which was well secured having SSO from Okta. But there were also project URLs for Figma used for the design and development of the front end across the application. Here, the user needs authentication to view the project having the invite or access from the project admin. Due to a lack of authorization, any user can sign up with their individual credentials and access the project without restrictions. These projects were daily updated and monitored by the internal resources and particularly attackers can make changes on behalf of the organization.

The Impact: Unauthorized Access and Data Modification

The impact of this security misconfiguration was significant. Unauthorized users could:

‍

• View sensitive information: The Figma panel contains confidential design prototypes, user interface mockups, or other proprietary design assets. Unauthorized access could expose this sensitive information to competitors or malicious actors.
• Modify design content: The ability to edit the Figma panel allowed unauthorized users to tamper with the design content. This could lead to the introduction of malicious elements, design inconsistencies, or other unintended changes.

‍

How to Secure Internal Resources with Authentication and Authorization

To prevent similar unintentional security misconfigurations, it is crucial to implement proper authentication and authorization mechanisms for all internal applications and resources, including those hosted on internal subdomains.

‍

• Authentication: Verify the identity of users attempting to access the application. This typically involves requiring users to provide credentials, such as a username and password.
• Authorization:  After a user is authenticated, determine what actions they are allowed to perform within the application. This involves role-based access control mechanisms and permissions to users based on their job responsibilities and access requirements.

Key Takeaways

• Authentication and authorization are essential:  Implementing proper access controls is crucial for protecting sensitive data and preventing unauthorized access.