Quick Tutorial: Broken Access Control Vulnerability
This vulnerability type is at the top of OWASP Top 10 2021. As per OWASP, more than 90% of applications have some form of broken access control vulnerability. Broken Access Control comes under critical vulnerability and generally leads to loss of confidentiality and integrity of data.
If any user is able to perform an unintended task, that vulnerability type comes under broken access control. Here, an unintended task means the user should not allow performing that task by the application.
1) Assume a web application has two roles: normal user and admin. If a normal user is able to access the authenticated admin page by flaws such as path traversal, improper authorization, forced browsing, incorrect default permissions, etc.
In the below example, an attacker change URL to access the admin page. If it is allowed, this is a flaw that comes under this category.
2) Assume customer-related data is available on the web application via the functionality of Profile. Customers can only see their own data. If an attacker is able to see data by simple manipulation of URL, this is a flaw that comes under this category.
Broken Access Control Prevention
Broken Access Control can be easily prevented by using appropriate checks on the server-side via using code or using server-less APIs. Below are the lists of general techniques that should be used to mitigate this type of vulnerability.
- Deny access by default for any resource.
- Never implement different access control for each functionality. Instead, use one access control throughout the application.
- Never rely only on tools for security. Use manual methods to test the application before deploying it in production.
- Prepare proper documentation defining access control of the application.
- Enable mechanism of Logging for failures. Trigger email/SMS to admin if the number of failures crosses a threshold.
- Double-check the URLs (e.g. backup, configuration files etc.) that are not intended for the public.
Broken Access Control vs Broken Authentication
There is always confusion between broken access control and broken authentication. Sometimes, we use both interchangeably which is not correct.
|Broken Access Control||Broken Authentication|
|Related to Authorization||Related to Authentication|
|Determine whether users have access to the resource||Determine whether users able to prove their identity|
CWE comes under Broken Access Control
|CWE-201 Exposure of Sensitive Information Through Sent Data||CWE-538 Insertion of Sensitive Information into Externally-Accessible File or Directory||CWE-706 Use of Incorrectly-Resolved Name or Reference||CWE-540 Inclusion of Sensitive Information in Source Code|
|CWE-1275 Sensitive Cookie with Improper SameSite Attribute||CWE-863 Incorrect Authorization||CWE-276 Incorrect Default Permissions||CWE-668 Exposure of Resource to Wrong Sphere|
|CWE-913 Improper Control of Dynamically-Managed Code Resources||CWE-359 Exposure of Private Personal Information to an Unauthorized Actor||CWE-922 Insecure Storage of Sensitive Information||CWE-402 Transmission of Private Resources into a New Sphere ('Resource Leak')|
|CWE-59 Improper Link Resolution Before File Access ('Link Following')||CWE-862 Missing Authorization||CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere||CWE-284 Improper Access Control|
|CWE-601 URL Redirection to Untrusted Site ('Open Redirect')||CWE-639 Authorization Bypass Through User-Controlled Key||CWE-566 Authorization Bypass Through User-Controlled SQL Primary Key||CWE-552 Files or Directories Accessible to External Parties|
|CWE-200 Exposure of Sensitive Information to an Unauthorized Actor||CWE-35 Path Traversal: '…/…//'||CWE-377 Insecure Temporary File||CWE-285 Improper Authorization|
|CWE-275 Permission Issues||CWE-425 Direct Request ('Forced Browsing')||CWE-23 Relative Path Traversal||CWE-264 Permissions, Privileges, and Access Controls|
|CWE-219 Storage of File with Sensitive Data Under Web Root||CWE-352 Cross-Site Request Forgery (CSRF)||CWE-441 Unintended Proxy or Intermediary ('Confused Deputy')||CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')|
Subscribe us to receive more such articles updates in your email.
If you have any questions, feel free to ask in the comments section below. Nothing gives me greater joy than helping my readers!
Disclaimer: This tutorial is for educational purpose only. Individual is solely responsible for any illegal act.