Today we are going to discuss about one of the common vulnerabilities from the list of OWASP Top 10. In this article, we are going to learn about a broken access control attack. Broken Access Control is a common vulnerability that is due to the lack of automated detection and lack of functional testing by the developers. Let’s first know in detail about the What is Broken Access Control vulnerability?
What is a Broken Access Control Attack?
Broken Access Control is a security vulnerability in which a user can act outside of their intended permissions, which can lead to unauthorized access, information disclosure or modifying or deleting the data this can be a serious security issue.
Lets’s understand a broken access control attack in simple terms let’s suppose that you are pentesting a web application and you found an admin dashboard that doesn’t have authentication, this is a clear authentication issue. You reported the vulnerability and the developer patches the vulnerability.
After that, you logged in as a normal user but you find that you can access higher privileged permission as a normal user, this is an authentication issue. In this case, the developer forgot to validate if the user has authorization to the admin dashboard.
Broken Access Control Vulnerabilities
From the user’s perspective Access Control Vulnerabilities can be divided into two categories as mentioned below.
- Vertical Access Control: In this scenario when a user can access or modify the data that requires a level of permission beyond their roles.
- Horizontal Access Control: Horizontal access controls are mechanisms that restrict access to resources to the users who are specifically allowed to access those resources.
Examples of Broken Access Controls
CSRF: Client-Side Request Forgery
CSRF is a known attack vector that tricks browsers to perform unwanted actions. A successful CSRF could allow an attacker to change their passwords, transfer funds into their account or it can also lead to the full access over the victims account.
IDOR: Insecure Direct Object Reference
IDOR is a sub-category of Access Control, it arises when an application uses user-supplied input to access objects directly and an attacker can modify the input to obtain unauthorized access. In this vulnerability, the application does not validate access to resources through IDs.
How to prevent Access Control Attack
There are few method which you can use to prevent Access Control Attacks by taking in-depth approach and using the principles described below:
- Thoroughly audit and test that the access controls are working as they are designed
- Never rely on obfuscation alone for Access Control
- Use Access control lists and role-based authentication mechanisms
- Deny access to functionalities by default
This was all about Access Control Attacks and how to prevent them. If you have liked our article then do share it with your friends and families and if you have any doubts then comment us below we will reach out to you.