What is Broken Access Control?
Authorization is the method where requests to access a specific resource should be granted or denied. The authorization includes the execution rules that verify the functionality and data the user (or Principal) could access, ensuring the right allocation of access rights when successful authentication. Authorization is not equivalent to authentication.
Web applications need access controls to permit users to use the application. They conjointly want administrators to manage the application’s access control rules and, therefore, the granting of permissions or entitlements to users and alternative entities. Numerous access control methodologies are out there. The proper access control methodology is acceptable for your application. A risk assessment has to be performed to identify threats and vulnerabilities specific to your application and choose the most appropriate one.
Broken Access Control vulnerabilities are common in modern applications since the design and implementation of access control mechanisms rely on a highly complex ecosystem of multiple components and processes. In such a complex, changing ecosystem, security teams should apply several legal, organizational, and business logic to ensure the technical stack is watertight and has no room left for hackers to exploit the system.
Access control issues are unremarkably encountered, and they often pose concrete security risks and significant vulnerabilities. Since the design and management of access controls may be a complicated and dynamic drawback, errors are probably high. As a result, access control designs and decisions must be made by humans rather than computers.
What is Broken Access Control Security Vulnerabilities?
Broken Access Control features in the OWASP Top 10 vulnerabilities since hackers will exploit these to masquerade as users and access resources using privileged functions. Most access control schemes don’t seem to be deliberately designed using a guided framework. Instead, they evolve with the web application’s use.
Besides this, a flawed access scheme is easy to identify and exploit. In most cases, the hacker must make a request for content or functions that they are not authorised to use. Once a flaw has been discovered, the consequences can range from minor to severe, depending on the sensitivity of the content and the protection controls in place.
Common Access Control Vulnerabilities
Broken Access Control vulnerabilities can be categorized as:
Vertical Privilege Escalation
Vertical access controls to limit access to crucial functions not offered to different users within the organization. For instance, broken vertical access controls can be explored to access functions that standard users can’t access, like modifying and deleting user accounts.
The following are some examples of vertical privilege escalation attacks caused by faulty vertical access controls:
- Unprotected Sensitive Functionality
- Parameter-based attacks
- Broken access control due to platform misconfiguration
Horizontal Privilege Escalation
Horizontal access controls enable completely different application users to access similar resource types. These mechanisms limit access to the resources solely to the cluster of users allowed to access the resource. For example, a banking application lets clients view their transactions’ records but not of different users. Broken horizontal access controls enable attackers to access resources belonging to different users and are caused by Improper ID controls.
Context-Dependent Privilege Escalation
Often, attackers compromise privileged users to show horizontal privilege escalation attacks into vertical privilege escalation. As an example, hackers might use broken horizontal controls to retrieve another user’s login credentials. The attackers can then target administrative accounts, which give them administrative rights and escalate privileges vertically.
Some context-dependent privilege escalation attacks include:
- Insecure Direct Object Reference
- Multi-step attacks
- Attacks on referrer-based mechanisms
- Attacks on geographical location-based mechanisms
The Impacts of Broken Access Control
Almost every web server and application deployment are prone to a minimum of one broken access control vulnerability. Depending on the resources the attackers get the permission to access, the impacts of a fortunate attack can be detrimental. Failures in access control can have the following business consequences:
Exposure to Unauthorized Content
Once an attacker has gained unauthorized access privileges, they generally crawl the site for data on gaining additional permissions. While doing so, they access sensitive system and user information, which they can acquire from the black market or alternative malicious acts. With a fortunate attack, the hacker can view, modify, or even delete the sensitive information, preventive system performance, the company’s reputation, and accessibility.
Hackers exploit access flaws mainly to gain privileged access to protected resources and services against normal users and applications. Typically, hackers initially intend to take charge of as many user accounts as possible. With an elevation of privilege, hackers will steal user information or deploy malicious payloads that can damage and compromise the entire application hosting ecosystem.
Distributed Denial of Service
With access to various user accounts, attackers will deploy bots on these accounts and use them to cause the system to crash by sending various requests at a go. Additionally, they deploy malicious payloads that render the application inaccessible and unavailable for legitimate users and services.
Preventing Broken Access Control Vulnerabilities
Broken Access Control is a high-ranking OWASP vulnerability that occurs on a regular basis, has a moderate exploitability, and has extremely deep and harmful consequences. Additionally, broken access control is a leading factor in data breaches and leaks, which result in huge penalties, loss of business reputation, and exposure of client information to fraudsters.
It is, therefore, essential to deal with these vulnerabilities before attackers take advantage of them and, in general, establish an access control policy.
Following are the best practices commonly used to prevent broken access control vulnerability attacks.
Deny Access by Default
Design an effective access control. Unless a resource is publicly accessible, deny access by default. Furthermore, at the code level, make it mandatory for developers to declare the access allowed for each resource and deny access by default.
Central Interface for Application-wide Access Controls
Every organization needs a technique to evaluate the effectiveness of access control choices. It is, therefore, essential to possess a central, managed interface to document the access control schemes used and aid in the design of a framework used to test the success of established access control mechanisms.
Handle Access Controls at Server-Side
Organizations should only trust server-side authentication & authorization because it applies identical controls to all services, users, and applications. Security teams and developers ought to develop a guide for separating duties. For example, Role templates help the server validate requests based on permissions associated with the specific role and not grant access to unauthorized users.
Constant Testing and Auditing of Access Controls
It is necessary to make security testing a continuous, consistent process by constantly testing and auditing access control mechanisms to confirm they are intended. Additionally, efficient testing helps teams identify newer vulnerabilities and flaws as they come up, enhancing the organization’s confidence in their implementation of access control.
Disable Web Server Directory Listing
Disable Web Server Directory Listing and make sure no file metadata (e.g.,.git) or backup files exist within the web root.
Clean Code with Binary Access Controls
Every developer should make sure that their source code contains rules that declare access to each resource at the code level, with access being denied by default. To avoid common programming errors, it’s also critical to use secure coding practises.