In 2021, Broken Access Control moved up from 5th place to the #1 spot on the OWASP Top 10 as “the most serious web application security risk.” With broken access control being one of the most prevalent weaknesses for web applications, it’s important to not only understand this type of vulnerability but also how to prevent it.
What is Broken Access Control?
To understand what broken access control is, let’s first understand access control.
Access control is the permissions granted that allow a user to carry out an action within an application. For example, web applications need access controls to allow users with varying privileges to use the application. Some users may only be able to access data, while others can modify or create data. A system administrator usually manages the application’s access control rules and the granting of permissions.
Broken access control is a critical security vulnerability in which attackers can perform any action (access, modify, delete) outside of an application’s intended permissions.
Common Access Control Vulnerabilities
The design and management of access controls can be complex and as access control decisions are made by humans, there is a high margin for error.
The OWASP lists the following as common access control vulnerabilities:
- Violation of the principle of least privilege or denial by default, where access should only be granted for particular capabilities, roles, or users, but is available to anyone.
- Bypassing access control checks by modifying the URL (parameter tampering or force browsing), internal application state, or the HTML page, or by using an attack tool to modify API requests.
- Permitting viewing or editing someone else's account, by providing its unique identifier (insecure direct object references)
- Accessing API with missing access controls for POST, PUT and DELETE.
- Elevation of privilege. Acting as a user without being logged in or acting as an admin when logged in as a user.
- Metadata manipulation, such as replaying or tampering with a JSON Web Token (JWT) access control token, or a cookie or hidden field manipulated to elevate privileges or abusing JWT invalidation.
- CORS misconfiguration allows API access from unauthorized/untrusted origins.
- Force browsing to authenticated pages as an unauthenticated user or to privileged pages as a standard user.
How to Prevent Vulnerabilities
It’s important to take a defense-in-depth approach as access control vulnerabilities can’t be prevented by applying a single formula due to the varying factors in access rights, permissions, principles, workflow, and purpose in applications.
Generally speaking, your access control strategy should cover three aspects:
- Authentication: You need to correctly identify a user when they return to an application.
- Authorization: Once a user has been authenticated, authorization decides what actions a user should and should not be able to perform.
- Permissions Checking: When a user attempts to perform an action, authorization is evaluated at that point in time.
As applications are increasingly built on APIs, it’s important to also understand the top vulnerabilities associated with APIs, the OWASP API Top 10. For example, when considering best practices for authentication and authorization, remember that you must account for both user and machine identities. Salt Security recommends the following for API authentication and authorization:
- Continuously authenticate and authorize API consumers
- Avoid the use of API keys as a means of authentication
- Use modern authorization protocols such as OAuth2 with security extensions
Access Control Best Practices
Here are some best practices that can be implemented to prevent broken access control:
- Enforce least privileges: Assign users the minimum privileges needed to complete their function.
- Deny by default: For security purposes, even when no access control rules are explicitly matched, an application should be configured to deny access by default.
- Validate permissions on every request: Correctly validate permissions on every request, including those initiated by AJAX script, server-side, or any other source.
- Take time to thoroughly review the authorization logic of chosen tools and technology and implement custom logic when necessary. Test configurations all configurations.
- Prefer feature and attribute-based controls over role-based.
- Ensure lookup IDs cannot be accessible (even when guessed) and cannot be tampered with.
- Ensure that static resources are authorized and incorporated into access control policies.
- Authorization checks should be performed at the right location. Never rely on client-side access control checks.
- Exit safely when authorization checks fail.
- Unit and integration test authorization logic.
To learn more about these best practices for your access control strategy, refer to the Authorization Cheat Sheet by OWASP.
Why You Should Care
Broken access control vulnerabilities can have far-reaching consequences. Privileged data could be exposed, malware could lead to further attacks and destruction. Beyond the data, companies face litigation, damage control, loss of market share and market valuation, repair of compromised systems, and delays in system improvements – the list goes on. With exploits and attacks more prevalent than ever, ensuring your system’s security is more important than ever. Although delivering robust access control can be quite complex, understanding common vulnerabilities and applying best practices will help you in designing your strategy.
