Privilege escalation

Compare scans that used different user privileges, to discover if privileged resources are accessible to non-privileged users.

About this task

illustration of privilege escalationAppScan can refer to scans that were run using different user privileges, in order to investigate the extent to which privileged resources are accessible to users with insufficient access permissions. This can be done in two ways:
  • By comparison with a higher privileged user: You point AppScan to scan results that were produced using a higher level of access permissions than the current scan. During the scan AppScan attempts to access the additional links that were available to the higher level user, using the current (lower level) access permissions. The scan results indicate where these attempts were successful.
  • By comparison with a non-authenticated user: You point AppScan to scan results that were produced without user authentication. AppScan then runs a scan using the current authentication and notes the new links it accesses. It then logs out and attempts to access these new links without authentication. The scan results indicate where these attempts were successful.
Important: Scans being compared must have the same scan configuration, and equivalent Explore data. For example, if the site was explored manually before testing in one of the scans, the same Manual Explore must be performed before the Test stage in the scans being compared with it.

Procedure

  1. (To compare with a higher privileged user:) In the upper area ("Higher Privilege User Tests"), click the plus button, and browse to a scan that was run with higher access permissions than the current scan.
  2. Click Open.
  3. Type in a name that represents the authentication level used in the scan (for example Guest or Administrator), then click OK.

    The selected scan is added to the list, and its role (e.g. Admin, Operator, Visitor) appears in the left column.

  4. Repeat these steps to add scans with different authentication levels, as required.
    Note: You may add more than one scan for Higher Privilege User tests, one for each role. For example, if the current scan is configured with the Username and password of a normal user, you could add two scans to this list: one that was run with Administrator permissions, and one that was run with Supervisor permissions. The results will indicate which user's resources were found to be accessible to the Normal User.
  5. (To compare with a non-authenticated user:) You can also optionally load the results of a scan run without authentication. To do this, in the lower area click the plus button, and browse to the scan results.