Preventing unauthorized users accessing admin path

An online shopping website, shopexample.com, has a separate admin panel accessible at shopexample.com/admin, used by administrators to manage products, orders, and user accounts. The admin panel is supposed to be accessible only to users with administrative privileges. However, due to misconfigured access controls, a standard user discovers they can access admin functions by simply modifying the URL or manipulating their session cookies.

Security flaw exploitation

• Session Cookie Manipulation
  A standard user, after logging in, manipulates their session cookie's privilege level from "user" to "admin" using a browser's developer tools or a proxy tool.

• Direct URL Access (Force Browsing)
  The user directly navigates to shopexample.com/admin by typing the URL into the browser's address bar. Due to inadequate access control checks, the server renders the admin page, granting the user administrative rights without proper authentication.

• Unauthorized Actions
  Leveraging this access, the user views sensitive information, modifies product listings, and even accesses other users' order details, all of which are unauthorized actions that compromise data integrity and privacy.

Solutions by FortiWeb

To prevent the described security issues of session cookie manipulation, direct URL access (force browsing), and unauthorized actions on an online shopping website using FortiWeb, you can follow a series of configuration steps and best practices.

• Solution 1 - Configuring URL Access to restrict access to shopexample.com/admin

• Solution 2 - Configuring User Tracking and Custom Policy to restrict access

Solution 1 - Configuring URL Access to restrict access to shopexample.com/admin

Access to administrative panels for your web application should only be allowed if the client’s source IP address is an administrator’s computer on your private management network.

Step 1 - Create an URL Access rule to allow access to "/admin" from the administrators' source IP addresses.

1. Go to Web Protection > Access > URL Access.
2. Select the URL Access Rule tab.
3. Click Create New.
4. Configure these settings:
   

   Name	Allow-admin-access
   Host Status	Enable
   Host	shopexample.com
   Action	Continue—The matching request will be allowed by URL access but be evaluated by any subsequent rules defined in the web protection profile.
   Severity	Medium
   Trigger Action	Select a trigger action to specify how FortiWeb will log the attack.

5. Click OK.
6. Click Create New to add a new URL access condition entry to the set.
7. Configure these settings:
   

   Source Address	Enable.
   Source Address Type	IPv4/IPv6 / IP Range
   IPv4/IPv6 / IP Range	Enter the IP address or IP range of the administrator’s computer on your private management network.
   URL Type	Simple String
   URL Pattern	/admin
   Meet this condition if:	Object matches the Source Address and the URL pattern.

8. Click OK.

Step 2 - Create another URL Access rule to block access to "/admin" from all source IPs

1. Go to Web Protection > Access > URL Access.
2. Select the URL Access Rule tab.
3. Click Create New.
4. Configure these settings:
   

   Name	Block-all-access
   Host Status	Enable.
   Host	shopexample.com
   Action	Alert & Deny—Block the request and generate an alert, log message, or both.
   Severity	Medium
   Trigger Action	Select a trigger action to specify how FortiWeb will log the attack.

5. Click OK.
6. Click Create New to add a new URL access condition entry to the set.
7. Configure these settings:
   

   Source Address	Disable
   URL Type	Simple String
   URL Pattern	/admin
   Meet this condition if:	Object matches the URL pattern and Parameters.

8. Click OK.

Step 3 - Create a URL Access policy to reference the two rules

1. Go to Web Protection > Access > URL Access.
2. Select the URL Access Policy tab.
   
3. Click Create New.
   
4. In Name, type a unique name that can be referenced by other parts of the configuration. The maximum length is 63 characters.
5. Click OK.
6. Click Create New to add the first rule to the set.
7. From the Access Rule Name drop-down list, select "Allow-admin-access".
   
8. Click OK.
9. Click Create New to add the second rule to the set.
10. From the Access Rule Name drop-down list, select "Block-all-access".
    
11. Click OK.

Make sure the rule "Allow-admin-access" ranks higher (it's ID number is smaller) than the rule "Block-all-access". In this way, all the traffic to "/admin" will be blocked except the ones from the administrator’s source IPs because they will hit the first rule and be taken the action "Continue" specified in the first rule.

For more information, see Restricting access based on specific URLs.

Solution 2 - Configuring User Tracking and Custom Policy to restrict access

Implement user tracking and create a custom policy to block unauthorized access to the admin panel. This process involves setting rules for user tracking based on usernames, and then defining a custom policy to deny access to the /admin path if usernames are not included in the authorized list.

To track users by usernames:

1. Go to Tracking > User Tracking, and select the User Tracking Rule tab.
2. Click Create New, and then complete the following settings:
   

Name	Enter a name that identifies the rule.
Authentication URL	Enter the login URL, /login.php
Username Field	The name of the field for users to enter their username, for example: Username.
Password Field	The name of the field for users to enter their password, for example: Password.
Session ID Name	Type the name of the session ID that is used to identify each session. Examples of session ID names are sid, PHPSESSID, and JSESSIONID.

3. Click OK.
4. Go to Tracking > User Tracking, select the User Tracking Policy tab, click Create New, enter a name for the policy, and then click OK.
5. Click Create New, select the user tracking rule you have created, and then click OK.

To block non-admin users from accessing shopexample.com/admin:

1. Go to Web Protection > Advanced Protection > Custom Policy, and select the Custom Rule tab.
   
2. Click Create New.
3. Configure these settings:

4. Name	Type a unique name that can be referenced in other parts of the configuration. The maximum length is 63 characters.
   Action	Alert & Deny—Block the request (or reset the connection) and generate an alert email and/or log message.
   Severity	Medium
   Trigger Action	Select a trigger action to specify how FortiWeb will log the attack.

5. Click OK.
6. Click Create New to add a User entry to the set.
7. From Filter Type, select User.
8. For User Name, enter the names of your admin users, for example: "admin" or "alice, alex, adam".
9. For the Meet this condition if: option, select Object does not match the User Name.
10. Click OK.
11. Click Create New to add a URL entry to the set.
12. From Filter Type, select URL.
13. Enter /admin in Regular Expression.
14. For the Meet this condition if: option, select URL matches the Regular Expression.
15. Click OK.
16. Go to Web Protection > Advanced Protection > Custom Policy, and select the Custom Policy tab.
17. Click Create New.
18. Select the custom rule you have created.
    
19. Click OK.

For more information, see Tracking and Custom Policy.

Additional protection: Configuring Cookie Security to prevent cookie manipulation

To prevent users from manipulating their session cookies and thereby escalating their privileges from "user" to "admin", it's crucial to implement robust cookie security measures.

1. Go to Web Protection > Cookie Security.
2. Click Create New and configure these settings:

Name		Enter a name that identifies the policy when you select it in a protection profile.
Security Mode		Signed—Prevents tampering (cookie poisoning) by tracking the cookie value. This option requires you to configure Client Management in Policy. When FortiWeb receives the first HTTP or HTTPS request from a client, it uses a cookie to track the session. When you select this option, the session-tracking cookie includes a hash value that FortiWeb uses to detect tampering with the cookie from the back-end server response. If FortiWeb determines the cookie from the client has changed, it takes the specified action.
Cookie Security Attributes
	Secure Cookie	Enable to add the secure flag to cookies, which forces browsers to return the cookie only when the request is for an HTTPS page. It ensures that the cookie is sent over HTTPS only, preventing the cookie from being transmitted over unsecured HTTP where it could be intercepted by attackers (a method known as man-in-the-middle attacks).
	HTTP Only	Enable to add the "HTTP Only" flag to cookies, which prevents client-side scripts from accessing the cookie.
	Same Site	Enable to add the "SameSite" attribute so that you can declare that your cookie should be restricted to a first-party or same-site context. Strict — Any request from the third parties will not carry such cookies. It ensures the cookie is only sent in a first-party context (i.e., if the site for the cookie matches the site currently shown in the browser's URL bar).
Action		Alert & Deny—Block the request and generate an alert, log message, or both.
Severity		Medium
Trigger Policy		Select a trigger action to specify how FortiWeb will log the attack.

3. Click OK.

For more information, see Cookie security.

Next step

Apply the security rules to web protection profile and then reference the profile in a server policy. See:

• Configuring a protection profile for inline topologies

• Configuring an HTTP server policy

Make sure to enable Client Management in Policy > Web Protection Profile.

By implementing these comprehensive security measures, shopexample.com can mitigate the risks associated with session cookie manipulation and direct URL access to admin functions. These strategies will help maintain the integrity and privacy of user data and the overall security of the online platform.

It's also recommended to configure settings on your back-end servers to define user roles based on job functions and responsibilities within the organization, so that only authorized users can access specific back-end resources.