One of the most common vulnerabilities Packetlabs discovers when performing web application penetration tests are broken access controls. Access control vulnerabilities occur when users can act outside of their intended permissions. This typically leads to unauthorized access, information disclosure, and modification or destruction of data. These vulnerabilities arise from insecure coding or insecure implementation of authentication and authorization mechanisms.

There are a lot of considerations when implementing authentication into web applications such as password security, account recovery controls, password reset controls, account permissions, and session management. There are numerous frameworks designed to handle authentication and authorization that plug into popular languages and web application frameworks. Popular frameworks are known for high-strength security, the implementation of these frameworks requires consideration of several factors to they are securely configured.

What are Access Control Vulnerabilities?

Access controls are designed to prevent users from acting outside their intended permissions, when vulnerabilities exist in these controls, or there are no controls users can act outside of their intended permissions. This may allow attackers to steal information from other users, modify data and perform actions as other users.

Two common names for splitting access control vulnerabilities into categories are horizontal privilege escalation and vertical privilege escalation.

  • Horizontal Privilege Escalation: Occurs when a user can perform an action or access data of another user with the same level of permissions.
  • Vertical Privilege Escalation: Occurs when a user can perform an action or access data that requires a level of access beyond their role.

Broken Access Control ranks 5th in the 2017 OWASP Top 10 web application vulnerabilities. Access control issues are typically not detectable by dynamic vulnerability scanning and static source-code review tools as they require understanding of how certain pieces of data are used within the web app. Manual testing is the best way to detect missing or broken access controls.

Impact and Risk

Broken access controls can leave applications at a high-risk for compromise, typically resulting in the impact of confidentiality and integrity of data. An adversary can steal information accessed by users of the application, manipulate data by performing actions that various user roles can perform within the application, and in certain circumstances compromise the web server. Manipulation of data may allow account hijacking, theft if the application deals with currency or tangible goods, and control of systems/services the application monitors. Further attacks against the web server and infrastructure may be possible given the nature of the application.

Figure 1: Broken Access Control Diagram

Access Control Attack Scenarios

Let’s walk through some fictitious examples of a banking application that is vulnerable to different access control attacks to gain a better understand of how these attacks can be performed, their impact, and

  • Horizontal Permission Issues: Imagine this simple scenario where an attacker logs into a banking application using their own account details. When the attacker views their account, the browser makes a request to the web server for the account numbers balance and recent transactions.

An attacker observes the following request made by the application when loading their banking dashboard.

The attacker modifies the request to use the bank account number of another user by changing the accountID parameter from 4462 to 4463.

The applications response provides the attacker the account details of another person.

Vertical Permission Issues:
Building on the previous example, the banking application has a customer support role that allows customer support agents to help customers with account issues. The customer support role has the ability to search a database of all customers, this feature is not available to customers. The attacker discovers that this feature exists through some comments left in the web pages source code.

The attacker crafts a request based on this information to search the customer database.

The application responds with a list of 100 customers from the applications database.

In addition to the manipulation of request parameters and URL paths, exploitation commonly involves tampering of metadata such as session tokens, cookies, or CORS misconfigurations.

Remediation

There are several access control models, when developing applications, the appropriate model should be selected and adhered to throughout development and testing to ensure minimal access control vulnerabilities. These models include but are not limited to:

  • Role-based Access Control
  • Mandatory Access Control
  • Permission Based Access Control
  • Discretionary Access Control

Each model has its own pro’s and con’s and selection of the model will depend on several factors including the applications primary purpose, level of security required and design.

Remediating of access control vulnerabilities will typically involve changes to the functionality of application code. These changes often including implementing server-side checks to ensure that the users attempting to access or modify data have rights to access or modify the data, and changing default behavior to deny access/modification unless access is explicitly granted. Organizations should look into implementing a Systems Development Life Cycle (SDLC) policy that adopts secure coding practices while ensuring penetration testing is perform in the final stages of development to identify access control issues not identified during development.

Additional steps to remediate access control vulnerabilities may include disabling directory listings, rate limiting APIs and authentication or authorization related pages, and invalidating authentication tokens upon logging out.

For more information on access control vulnerabilities OWASP has a great cheat sheet available and a dedicated page to access control vulnerabilities.

How Can We Help?

Dynamic and Static application testing often cannot find access control issues, at Packetlabs we use automation but do not rely on automation. In addition to use popular scanning tools we utilize manual testing methodologies that consist of over 150 checks that consistently identified vulnerabilities not reported by scanning tools. Our methodology is based on years of industry experience and certifications including OSCP, OSCE, GWAPT, GXPN, CEH and more. If you’re looking for penetration testing services please reach out and contact us.