Blog
Broken access controls are the most common vulnerability discovered during web application penetration testing. It moved up from 5th position to the 1st position in the 2021 OWASP Top 10 web application vulnerabilities list. Access control vulnerabilities occur when users are able to act outside of their intended permissions. This typically leads to unauthorized access, information disclosure, and modification or destruction of data. These vulnerabilities arise from unsecured coding or unsecured implementation of authentication and authorization mechanisms.
There are various factors to consider when implementing authentication into web applications, such as password security, account recovery controls, password reset controls, account permissions, and session management. Numerous frameworks are designed to handle authentication and authorization that plug into popular languages and web application frameworks. Popular frameworks are known for high-strength security. However, implementing these frameworks requires consideration of several factors to ensure they are securely configured.
What are Access Control Vulnerabilities?
Access controls are designed to prevent users from acting outside their intended permissions. Users can take actions beyond the scope of their authorized permissions if there are vulnerabilities in these controls or if they do not exist. This may allow attackers to steal information from other users, modify data and perform actions as other users.
Two common names for splitting access control vulnerabilities into categories are horizontal privilege escalation and vertical privilege escalation.
Horizontal privilege escalation
occurs when a user can perform an action or access data of another user with the same level of permissions
Vertical privilege escalation
occurs when a user can perform an action or access data that requires a level of access beyond their role
Broken Access Control moved up from 5th position to the 1st position in the 2021 OWASP Top 10 web application vulnerabilities list. Access control issues are typically not detectable by dynamic vulnerability scanning and static source-code review tools as they require an understanding of how certain pieces of data are used within the web app. Manual testing is the best way to detect missing or broken access controls.
Impact and Risk of Broken Access Controls
Broken access controls can put applications at risk of a data breach, usually resulting in the loss of confidentiality and integrity. An adversary can steal information accessed by users of the application, manipulate data by performing actions that various user roles can perform within the application, and in certain circumstances, compromise the webserver. Data manipulation may allow account hijacking, theft if the application deals with currency or tangible goods, and control of systems/services the application monitors. Further attacks against the web server and infrastructure may be possible, given the nature of the application.
Figure 1: Broken Access Control Diagram
Access Control Attack Scenarios
Scenario 1: A banking application has horizontal permission issues. Imagine this simple scenario where an attacker logs into a banking application using their own account details. When the attacker views their account, the browser makes a request to the webserver for the account numbers balance and recent transactions.
An attacker observes the following request made by the application when loading their banking dashboard.
https://mybankingapp.test/cgi-bin/hpe.py?accountId=4462
The attacker modifies the request to use the bank account number of another user by changing the accountID parameter from 4462 to 4463.
https://mybankingapp.test/cgi-bin/hpe.py?accountId=4463
The application's response provides the attacker with another person's account details.
{“AccountID”: 4463, “Balance”: “$167,183.09”}
Scenario 2: A banking application has vertical permission issues. Building on the previous example, the banking application has a customer support role that allows customer support agents to help customers with account issues. The customer support role has the ability to search a database of all customers which is not available to customers. The attacker discovers that this feature exists through some comments left in the web page's source code.
The attacker crafts a request based on this information to search the customer database.
https://mybankingapp.test/cgi-bin/customer_search.py?limit=5
The application responds with a list of 100 customers from the application’s database.
In addition to manipulating request parameters and URL paths, exploitation commonly involves tampering of metadata such as session tokens, cookies, or CORS misconfigurations.
Remediation
There are a variety of access control models to choose from when developing applications. Once the model has been selected, it should be kept throughout development and testing to minimize security concerns. These models include but are not limited to:
Role-based Access Control
Mandatory Access Control
Permission-Based Access Control
Discretionary Access Control
Each model has its pros and cons, but the selection of the model will depend on several factors, including the application's primary purpose, level of security required and design.
Remediation of access control vulnerabilities will typically involve changes to the functionality of the application code. These changes may include adding server-side checks to verify that users attempting to access or change data have the proper clearance and changing default behaviour so that access or modification is prohibited unless explicitly permitted.
Organizations may find it helpful to look into implementing a Systems Development Life Cycle (SDLC) policy that adopts secure coding practices while ensuring penetration testing is performed in the final stages of development to identify access control issues not identified during development.
Additional steps to remediate access control vulnerabilities may include disabling directory listings, API rate limiting, authentication or authorization-related pages, and authentication tokens upon logging out.
Learn more about broken access controls
Next steps
There are several steps that organizations can take to prevent or mitigate access control issues in web applications. These steps may include implementing secure coding practices and penetration testing throughout the application development process and disabling directory listings, API rate limiting, authentication or authorization-related pages.
Contact the Packetlabs team to learn more about securing your broken access controls.