Deep Dive Guide to Broken Access Control
A broken access control vulnerability is a type of security weakness that allows unauthorized individuals to gain access to restricted resources. Attackers exploit this flaw to bypass normal security measures and subsequently gain access to sensitive data or systems. Typically, such vulnerabilities are the result of weak authentication and authorization procedures. Therefore, eliminating these flaws is critical for maintaining the security of systems and data.
In fact, broken access controls are the most common vulnerability found during web application penetration testing. In 2021, OWASP published a list of the top 10 web application vulnerabilities, with broken access controls ranking in first place, up from fifth place in previous years. Researchers discovered one or more Common Weakness Enumerations (CWEs) in nearly one-third of the web applications they evaluated, often resulting in data loss, information leakage, and unauthorized access. Poorly implemented authentication and permission systems, or poorly written code are some types causes.
Authentication vs Authorization
Authorization is the act of verifying which specific software, files, and data a user is authorized to access, while authentication is the process of confirming an individual’s identity.
To understand the distinction between authentication and authorization, consider the following example. When you log in to a system, you are typically required to provide authentication information, such as a username and password, to prove your identity. Once authenticated, the system can then determine what resources you are authorized to access, based on your permissions and privileges.
The figures below illustrate this process:
Broken Access Control Vulnerabilities
Vertical access controls refer to mechanisms that restrict access to specific features within an application to certain types of users. These controls enable different user types to access various application features, which are not available to other types of users.
For example, consider a banking application that has several user types, such as regular customers, VIP customers, and bank employees. Each user type may be granted access to different features within the application, depending on their level of access. Regular customers may only be able to view their account balances and transaction history, while VIP customers may have additional privileges, such as the ability to transfer funds between accounts. Bank employees may have access to even more sensitive features, such as the ability to view confidential customer data.
Vertical access controls enable application developers to implement role-based access control (RBAC) and other similar mechanisms, which are essential for maintaining the confidentiality and integrity of sensitive data. By using these controls, application developers can ensure that users only have access to the features that are necessary for their roles, while preventing unauthorized access to private features.
Figure 2: Vertical Access Control Diagram
Example of Vertical Access Control Vulnerability:
To begin testing a web application for vulnerabilities, start by intercepting the traffic using Burp Suite while logged in as an unauthenticated or low-privileged user. This will allow you to identify potential security weaknesses and assess the level of access control in the application.
Start by checking the HTTP history and conducting an active scan on the root directory. This will help you identify hidden content and other potential weaknesses that may not be immediately visible. By thoroughly assessing the application’s structure and contents, you can gain a deeper understanding of its security posture and identify potential areas of concern.
Once you’ve discovered hidden content in a web application, it’s important to pay special attention to the robots.txt file, the text file has an interesting response that helps the attacker to enumerate unprotected administrator panel
To validate, an unauthenticated user/attacker was able to access the administrator panel and was able to delete users
Horizontal access controls are mechanisms that restrict access to specific resources to those who have been granted permission. With horizontal access controls, different users can access a portion of the same type of resources.
For example, consider a shared folder on a company network that contains several files related to a particular project. Horizontal access controls may be used to grant different levels of access to these files to different users, depending on their roles within the project. A project manager may have full access to all the files, while team members may only have access to the files that are
Figure 3: Horizontal Access Control Diagram
Example of Horizontal Access Control Vulnerability:
The first requirement is to have valid login credentials with “user” privileges. Once logged in, the user should have access to the features and functionalities allowed for their access level.
Proceed to the “Your Basket” page after successfully logging into the application.
Upon accessing “Your Basket” page, you will observe that there are no items.
Using Burpsuite, intercept the traffic and analyze the /rest/basket/6 in the HTTP History.
Analyze the parameter /rest/basket/6 using Burpsuite by intercepting the traffic and checking the HTTP history. Attempt to modify the parameter by changing the number to different values.
By changing the URL parameter to /rest/basket/1, observe that the response has added items to the basket. Accomplish this after analyzing the parameter and trying out different numbers in the URL.
To ensure the security of authorization and authentication, it To ensure the security of authorization and authentication, we recommend following these guidelines:
- Check access. Each use of a direct object reference from an untrusted source must include an access control check to ensure granted user authorization a user for the requested object.
- Rate limit API and controller access to minimize the harm from automated attack tooling
- It is imperative to consistently validate each request and confirm that the requester has the necessary authorization to access or modify the data they are requesting.
- Implement access controls such as Role-Based Access Control or other Access Control Mechanisms.
- An exception or customized message suggesting a security violation has occurred should be returned and logged if the client issues an alternative identifier, along with session termination.
- A modified user access model will verify any supplied identifiers against authenticated user’s identity and validate authorization to access the indicated resource.
- The token generation process must ensure that each corresponding user has a uniquely mapped token.
Broken Access Control vulnerabilities are a common problem in modern applications, as the design and implementation of access control mechanisms often rely on multiple components and processes. In this complex and ever-changing environment, security teams must use a combination of legal, organizational, and business logic to ensure that the tech stack is secure and does not leave any room for hackers to exploit the application.
Access control vulnerabilities can be particularly insidious because they often go unnoticed without automated, continuous detection, and attackers may target them more aggressively as a result. Given the potential for significant damage, organizations cannot afford to overlook the threat of Broken Access Control.
To address this issue, security teams must understand what they are dealing with, how to avoid it, and how to prevent Broken Access Control vulnerabilities from occurring in the first place. By implementing robust access control mechanisms and continuously monitoring for potential vulnerabilities, organizations can help ensure the safety and security of their applications and data.