Broken Access Control, the most serious web vulnerability

ms_74

Mariam Reba Alexander

Posted on March 15, 2023

Broken Access Control, the most serious web vulnerability

Broken Access Control is identified as the most serious web application security and is in the 1st place on the OWASP Top 10 2021 list of security vulnerabilities. 94% of applications that were tested had some form of broken access control.

Access Control or Authorisation

In a physical aspect, access control implies to giving restricted access to an individual to a building or space, for eg., badge readers give access to different areas of a building, with which a staff can access restricted rooms whereas a visitor cannot.

In a web application context, access control or authorisation is the constraints applied to the user to access its resources or perform actions. For eg., an administrator might have the rights to modify or delete any user's account, whereas an ordinary user has no access to these actions.

Broken Access Control

Broken access control allows access to resources that should only be available to those with appropriate authorisation. This security flaw can result in serious consequences such as unauthorised information disclosure, modification, or destruction of all data and damage to business reputation.

According to 2022 OWASP Top 10 report, the applications that were tested for broken access control included 34 Common Weakness Enumerations (CWEs). The most notable vulnerabilities were exposure of sensitive data to an unauthorized actor, cross-site request forgery (CSRF), and path traversal. The whole list of CWEs mapping to Broken Access control can be found on MITRE's Common Weakness Enumeration (CWE) webpage.

Example scenarios

#1

A particular website has two pages, one for viewing by user and the other by admin.

https://example-website.com/user
https://example-website.com/admin
Enter fullscreen mode Exit fullscreen mode

This is a violation of access control when both pages are viewable by a non-admin. The pages of a website can be guessed easily by brute forcing with a wordlist or by viewing the robots.txt file.

Suppose the web page is tried to be concealed by giving a less predictable url.

https://example-website.com/admin_234862
Enter fullscreen mode Exit fullscreen mode

Obscuring the url may not be an effective way of securing a web page as this url pathname can be possibly hardcoded in the script logic and the attacker can gain access to it by scanning through the source code in devtools.

#2

After determining the users role at login, some applications may use the role as a query string parameter to redirect them to the permitted page.

For example:

https://example-website.com/login/home.html?admin=true
https://example-website.com/login/home.html?role=1
Enter fullscreen mode Exit fullscreen mode

This approach is also insecure as the attacker can easily guess and modify the query param to gain access to other user accounts or unauthorised privileges like admin access.

#3

Manipulating a JSON Web Token (JWT) access control token, or a cookie or hidden field to gain access to privileges.

Remedy

The main remedy for broken access control is that all resources not intended for public access should be denied by default. For new resources an allowlist must be implemented to introduce them.

For more detailed CWE vulnerabilities and remedies check out the resources provided below

Resources

https://owasp.org/Top10/A01_2021-Broken_Access_Control/
https://cwe.mitre.org/data/definitions/1344.html

💖 💪 🙅 🚩
ms_74
Mariam Reba Alexander

Posted on March 15, 2023

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related