Day 3: OWASP Top 10 2021 – #1 Broken Access Control

Access Controls. What Are They?

Applying restrictions on who (or what) can carry out attempted actions or access resources that they have requested is known as access control (also known as permission). Access control in the context of online applications depends on session management and authentication:

  • The subsequent HTTP requests performed by the same user are tracked by session management.
  • Identification and confirmation of the user’s identity are accomplished through authentication.
  • The user’s attempt to perform an activity is evaluated by access control to see if they are authorized to do so.

When access control is functioning effectively, no user can act in violation of the privileges that have been granted to them.

Broken Access Control

Broken Access Control made the first in the OWASP Top 10 list for 2021, broken access control is one of the most hazardous web application vulnerabilities. It was previously thought to be a small risk. Access control is a security approach that regulates who or what can view or utilize IT resources. It is an essential security concept that reduces the risk to the company or organization. When users can access a resource or perform an action that they are not meant to do, they have a broken access control vulnerability.

Broken access controls are a common and often severe security flaw. It had more occurrences in applications than any other category, as mapped by 34 CWEs (The list can be found in the later part of this blog post).

Visitor access should be restricted by website security access restrictions to only the pages or areas required by that type of user. An e-commerce site’s managers must be allowed to add new links and promotions, for instance. Other categories of visitors shouldn’t be able to access these features.

To prevent traps like content management systems (CMS) that generate all-access permission by default, developers must be pushed to adopt the “security first” discipline (up to and including admin-level access). Visitors to websites may gain access to admin panels, servers, databases, and other mission-critical software due to faulty access controls. This OWASP Top 10 threat can reroute browsers to other malicious URLs.

Scenario: An attacker simply forcefully browses to target URLs. Admin rights are required for access to the admin page.

https://example.com/app/getappInfo  

https://example.com/app/admin_getappInfo

If an unauthenticated user can access either of the pages above, it’s a flaw. If a non-admin can access the admin page, this is a flaw too. The system becomes subject to Compromised Access Control attacks, such as Privilege Escalation Attacks and CORS Misconfiguration Exploits, if this capability is broken.

Privilege Escalation

This refers to when an attacker succeeds in obtaining privileges they shouldn’t be able to.

What is CORS? (Cross Origin Resource Sharing)

Websites employ the Cross-Origin Resource Sharing (CORS) technology to get web browsers to relax the Same Origin Policy and allow cross-domain communication.

Preventive Measures to Broken Access Control Vulnerability

Only in trustworthy server-side programs or server-less APIs, where an attacker cannot alter the access control check or metadata, is access control effective. There are several solutions to fix the broken access control vulnerability, of which some include the following:

  • Use a least-privileged strategy to ensure that each position is given the minimal level of access necessary to carry out its duties.
  • Accounts that aren’t used or active anymore should be deleted.
  • Audit server and website activities so that you know who is doing what (and when).
  • Disable any additional access points that aren’t needed right now if there are any.

More information on this topic can be found on the OWASP website.

List To The Mapped 34 CWEs Regarding Broken Access Controls
References And Labs To Get More Understanding of Broken Access Controls.
  1. https://nse.digital/pages/guides/web/access-control.html
  2. https://portswigger.net/web-security/access-control
  3. https://portswigger.net/research/exploiting-cors-misconfigurations-for-bitcoins-and-bounties

This will be all for the Day 3 post. Hope you enjoyed it, kindly let me know in the comments section. Be sure to check out other blog posts of interest or come back tomorrow for the next day’s post. 😊