Working from home may reveal the flaws of applications and processes in use, so double-checking the access controls and privilege escalation possibilities is highly recommended.
Web applications are more popular than ever, people prefer working remotely from home instead of sitting in the office. Self-developed applications are not only used in the office anymore, employees use them from several locations. Have these apps really been prepared for remote work from security point of view?
The users of the application, the employees tend to spend more time with digging into the system, looking for shortcuts to solve their issues simply because the manager and administrator are not so easy to contact as it would be in the office. Some users may already know a few tricks that can be used to grant access to different functions without authorization.
It is a cliche already, but the users are the biggest risk for the systems.
A well-designed and well-implemented authorization system can protect you from unauthorized access. But is that really true?
A common problem of bespoke software is that the different user levels are not separated well enough. By modifying URLs, or by simple guessing, users may access to data that should not be available for them. In IT security terminology this is called "privilege escalation", which can be often be the source of the most serious problems in a multi layered software architecture.
Unauthorized access can almost never be detected with internal testers or with automated tools. A comprehensive log analysis can be used after a potential data breach, but it is not suitable to prevent such an issue.
Regular and thorough security tests can identify the possible flaws. Our team at Whiteshield pay particular attention to potential privilege escalation issues during web application testing, using manual techniques.
