Day 3: OWASP Top 10 2021 – #1 Broken Access Control

Access Controls. What Are They?

Applying restrictions on who (or what) can carry out attempted actions or access resources that they have requested is known as access control (also known as permission). Access control in the context of online applications depends on session management and authentication:

• The subsequent HTTP requests performed by the same user are tracked by session management.
• Identification and confirmation of the user’s identity are accomplished through authentication.
• The user’s attempt to perform an activity is evaluated by access control to see if they are authorized to do so.

When access control is functioning effectively, no user can act in violation of the privileges that have been granted to them.

Broken Access Control

Broken Access Control made the first in the OWASP Top 10 list for 2021, broken access control is one of the most hazardous web application vulnerabilities. It was previously thought to be a small risk. Access control is a security approach that regulates who or what can view or utilize IT resources. It is an essential security concept that reduces the risk to the company or organization. When users can access a resource or perform an action that they are not meant to do, they have a broken access control vulnerability.

Broken access controls are a common and often severe security flaw. It had more occurrences in applications than any other category, as mapped by 34 CWEs (The list can be found in the later part of this blog post).

Visitor access should be restricted by website security access restrictions to only the pages or areas required by that type of user. An e-commerce site’s managers must be allowed to add new links and promotions, for instance. Other categories of visitors shouldn’t be able to access these features.

To prevent traps like content management systems (CMS) that generate all-access permission by default, developers must be pushed to adopt the “security first” discipline (up to and including admin-level access). Visitors to websites may gain access to admin panels, servers, databases, and other mission-critical software due to faulty access controls. This OWASP Top 10 threat can reroute browsers to other malicious URLs.

Scenario: An attacker simply forcefully browses to target URLs. Admin rights are required for access to the admin page.

https://example.com/app/getappInfo  

https://example.com/app/admin_getappInfo

If an unauthenticated user can access either of the pages above, it’s a flaw. If a non-admin can access the admin page, this is a flaw too. The system becomes subject to Compromised Access Control attacks, such as Privilege Escalation Attacks and CORS Misconfiguration Exploits, if this capability is broken.

Privilege Escalation

This refers to when an attacker succeeds in obtaining privileges they shouldn’t be able to.

What is CORS? (Cross Origin Resource Sharing)

Websites employ the Cross-Origin Resource Sharing (CORS) technology to get web browsers to relax the Same Origin Policy and allow cross-domain communication.

Preventive Measures to Broken Access Control Vulnerability

Only in trustworthy server-side programs or server-less APIs, where an attacker cannot alter the access control check or metadata, is access control effective. There are several solutions to fix the broken access control vulnerability, of which some include the following:

• Use a least-privileged strategy to ensure that each position is given the minimal level of access necessary to carry out its duties.
• Accounts that aren’t used or active anymore should be deleted.
• Audit server and website activities so that you know who is doing what (and when).
• Disable any additional access points that aren’t needed right now if there are any.

More information on this topic can be found on the OWASP website.

List To The Mapped 34 CWEs Regarding Broken Access Controls

• CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
• CWE-23 Relative Path Traversal
• CWE-35 Path Traversal: ‘…/…//’
• CWE-59 Improper Link Resolution Before File Access (‘Link Following’)
• CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
• CWE-201 Exposure of Sensitive Information Through Sent Data
• CWE-219 Storage of File with Sensitive Data Under Web Root
• CWE-264 Permissions, Privileges, and Access Controls (should no longer be used)
• CWE-275 Permission Issues
• CWE-276 Incorrect Default Permissions
• CWE-284 Improper Access Control
• CWE-285 Improper Authorization
• CWE-352 Cross-Site Request Forgery (CSRF)
• CWE-359 Exposure of Private Personal Information to an Unauthorized Actor
• CWE-377 Insecure Temporary File
• CWE-402 Transmission of Private Resources into a New Sphere (‘Resource Leak’)
• CWE-425 Direct Request (‘Forced Browsing’)
• CWE-441 Unintended Proxy or Intermediary (‘Confused Deputy’)
• CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere
• CWE-538 Insertion of Sensitive Information into Externally-Accessible File or Directory
• CWE-540 Inclusion of Sensitive Information in Source Code
• CWE-548 Exposure of Information Through Directory Listing
• CWE-552 Files or Directories Accessible to External Parties
• CWE-566 Authorization Bypass Through User-Controlled SQL Primary Key
• CWE-601 URL Redirection to Untrusted Site (‘Open Redirect’)
• CWE-639 Authorization Bypass Through User-Controlled Key
• CWE-651 Exposure of WSDL File Containing Sensitive Information
• CWE-668 Exposure of Resource to Wrong Sphere
• CWE-706 Use of Incorrectly-Resolved Name or Reference
• CWE-862 Missing Authorization
• CWE-863 Incorrect Authorization
• CWE-913 Improper Control of Dynamically-Managed Code Resources
• CWE-922 Insecure Storage of Sensitive Information
• CWE-1275 Sensitive Cookie with Improper SameSite Attribute

References And Labs To Get More Understanding of Broken Access Controls.

1. https://nse.digital/pages/guides/web/access-control.html
2. https://portswigger.net/web-security/access-control
3. https://portswigger.net/research/exploiting-cors-misconfigurations-for-bitcoins-and-bounties

This will be all for the Day 3 post. Hope you enjoyed it, kindly let me know in the comments section. Be sure to check out other blog posts of interest or come back tomorrow for the next day’s post. 😊