OWASP Top 10 : Understanding Broken Access Control

What is broken access control?

Broken access control is a security issue where users can access data or perform actions that they shouldn't be allowed to. This happens when the system fails to properly enforce rules about what users can and cannot do.



Types of access controls : 

1 . Vertical privilege escalation: Vertical privilege escalation happens when a normal user gains access to functionalities reserved for higher-privileged users.




Example: A normal user can change the policies of the company. 

2. Horizontal privilege escalation: Horizontal privilege escalation allows a user to switch their access to another user's account, essentially impersonating them.



Example: A normal user can switch their account to admin. 

3 . Insecure direct object reference ( IDOR): IDOR occurs when an application exposes a reference to an internal implementation object, such as a file, directory, or database key.





Example: Suppose we have URL 'abc.com/user?id=123' and we can change the ID from 123 to anything like I want 124, so I change the URL 'abc.com/user?id=124' and the browser accepts it, so I can have access to 124. 

4. Missing Function Level Access Control: This happens when an application does not implement permissions on a functional level, allowing users to perform unauthorized actions.




Example: A normal user finds a hidden URL for an administrative function and can perform admin-level tasks.

5. Unvalidated Redirects and Forwards: When an application redirects or forwards users to other pages without proper validation, attackers can redirect users to malicious sites.




Example: An attacker manipulates a URL parameter to redirect users to a phishing site.

6. Forced Browsing: Forced browsing involves accessing parts of a website by simply guessing URLs of restricted resources.


Example: A user manually changes the URL from ' abc.com/user/dashboard ' to 'abc.com/admin/dashboard' and gains access to the admin panel.

7. Bypassing Access Control Mechanisms: Attackers may find ways to bypass access control mechanisms, such as manipulating session tokens or using alternative paths to restricted resources.



Example: An attacker uses a proxy to modify session tokens and access restricted areas of an application.


Common causes : 

1 . Lack of proper authorization: The developer should have implemented authorization checks for the actions.

2 . Insecure Object References: We can easily guess or modifiable references. 

3 . Default Configurations: We can't get strict access controls from the default configuration.

4 . Misconfigured Access Control Rules: Incorrectly setting up roles and permissions, allowing unintended access.

 Prevention Measures : 

1 . Deny by Default: Block everything except the request is specifically allowed.

Example: In a web application, configure the server to deny access to all endpoints by default and explicitly define which users or roles have permission to access specific endpoints. This ensures that any new endpoint or functionality is not accessible until explicitly allowed.

2 . Implement Proper Authorization: Check that the user does only all actions for that user has permission. 

Example: Before processing a request to update a user’s profile, check if the logged-in user has the right permissions to make changes to that specific profile. For instance, if a user tries to change another user's data, the system should verify that the logged-in user has the required administrative rights.

3 . Use Indirect References: Use references that are hard to guess or manipulate like random tokens.

Example: Instead of using predictable IDs like user?id=123, use a unique, hard-to-guess identifier such as user?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. This token is generated securely and cannot be easily manipulated.

4 . Regular Audits and Testing: Regularly test your application for access control vulnerabilities, using both manual and automated tools 

Example: Conduct quarterly security audits using automated tools like Burp Suite to scan for vulnerabilities related to access controls. Additionally, perform manual penetration testing to identify potential weaknesses that automated tools might miss.

5. Role-Based Access Control (RBAC): Implement RBAC to ensure that users only have access to the information and functions necessary for their role.

Example: Implement RBAC where each user role (e.g., admin, manager, employee) has specific permissions. For instance, only users with the "admin" role can access the admin dashboard, while "manager" and "employee" roles have restricted access.

6. Principle of Least Privilege: Grant users the minimum level of access necessary to perform their job functions. Regularly review and update permissions as needed.

Example: If a user is assigned to a specific department, ensure they only have access to the files and resources necessary for their role in that department. For instance, a finance employee should not have access to the HR database.

7. Secure Code Practices: Adopt secure coding practices, such as validating input, encoding output, and using secure frameworks, to prevent access control vulnerabilities.

Example: Use input validation to prevent unauthorized access. For instance, when a user submits a request to access a document, validate the request to ensure the user has permission to view or modify that document before proceeding.

8. Training and Awareness: Educate developers and staff about the importance of access control and best practices for implementing it. Regular training can help prevent common mistakes that lead to vulnerabilities.

Example: Organize regular workshops for developers on secure coding practices and access control mechanisms. For instance, provide training on how to implement access controls effectively and recognize common mistakes that lead to vulnerabilities.


Conclusion: Broken access control happens when people can access parts of an application or data they shouldn't. This can cause serious problems if not fixed. Developers and security experts need to understand why this happens and how to prevent it. By using strong access control methods, regularly checking for security issues, and following good practices, they can reduce the chance of unauthorized access and keep sensitive information safe.


Comments

Popular posts from this blog

Navigating the Seas of Cyber Threats: Understanding Phishing Attacks

Network Segmentation: Enhancing Security and Performance