In 2021, Broken Access Control moved up from on the OWASP Top 10 as “the most serious web application security risk.” With broken access control being one of the most prevalent weaknesses for web applications, it’s important to not only understand this type of vulnerability but also how to prevent it. 5th place to the #1 spot What is Broken Access Control? To understand what broken access control is, let’s first understand access control. Access control is the permissions granted that allow a user to carry out an action within an application. For example, web applications need access controls to allow users with varying privileges to use the application. Some users may only be able to access data, while others can modify or create data. A system administrator usually manages the application’s access control rules and the granting of permissions. Broken access control is a critical security vulnerability in which attackers can perform any action (access, modify, delete) outside of an application’s intended permissions. Common Access Control Vulnerabilities The design and management of access controls can be complex and as access control decisions are made by humans, there is a high margin for error. The OWASP lists the following as : common access control vulnerabilities Violation of the principle of least privilege or denial by default, where access should only be granted for particular capabilities, roles, or users, but is available to anyone. Bypassing access control checks by modifying the URL (parameter tampering or force browsing), internal application state, or the HTML page, or by using an attack tool to modify API requests. Permitting viewing or editing someone else's account, by providing its unique identifier                   (insecure direct object references) Accessing API with missing access controls for POST, PUT and DELETE. Elevation of privilege. Acting as a user without being logged in or acting as an admin when logged in as a user. Metadata manipulation, such as replaying or tampering with a JSON Web Token (JWT)                     access control token, or a cookie or hidden field manipulated to elevate privileges or abusing JWT invalidation. CORS misconfiguration allows API access from unauthorized/untrusted origins. Force browsing to authenticated pages as an unauthenticated user or to privileged pages as a standard user. How to Prevent Vulnerabilities It’s important to take a defense-in-depth approach as access control vulnerabilities can’t be prevented by applying a single formula due to the varying factors in access rights, permissions, principles, workflow, and purpose in applications. Generally speaking, your access control strategy should cover three aspects: : You need to correctly identify a user when they return to an application. Authentication : Once a user has been authenticated, authorization decides what actions a                user should and should not be able to perform. Authorization : When a user attempts to perform an action, authorization is evaluated at that point in time. Permissions Checking As applications are increasingly built on APIs, it’s important to also understand the top vulnerabilities associated with APIs, the . For example, when considering best practices for authentication and authorization, remember that you must account for both user and machine identities. Salt Security recommends the following for : OWASP API Top 10 API authentication and authorization Continuously authenticate and authorize API consumers Avoid the use of API keys as a means of authentication Use modern authorization protocols such as OAuth2 with security extensions Access Control Best Practices Here are some best practices that can be implemented to prevent broken access control: Enforce least privileges: Assign users the minimum privileges needed to complete their function. Deny by default: For security purposes, even when no access control rules are explicitly matched, an application should be configured to deny access by default. Validate permissions on every request: Correctly validate permissions on every request,                    including those initiated by AJAX script, server-side, or any other source. Take time to thoroughly review the authorization logic of chosen tools and technology and implement custom logic when necessary. Test configurations all configurations. Prefer feature and attribute-based controls over role-based. Ensure lookup IDs cannot be accessible (even when guessed) and cannot be tampered with. Ensure that static resources are authorized and incorporated into access control policies. Authorization checks should be performed at the right location. Never rely on client-side access control checks. Exit safely when authorization checks fail. Unit and integration test authorization logic. To learn more about these best practices for your access control strategy, refer to the by OWASP. Authorization Cheat Sheet Why You Should Care Broken access control vulnerabilities can have far-reaching consequences. Privileged data could be exposed, malware could lead to further attacks and destruction.  Beyond the data, companies face litigation, damage control, loss of market share and market valuation, repair of compromised systems, and delays in system improvements – the list goes on. With exploits and attacks more prevalent than ever, ensuring your system’s security is more important than ever. Although delivering robust access control can be quite complex, understanding common vulnerabilities and applying best practices will help you in designing your strategy.

2022 - HackerNoon Contributor of the Year - Best Practices

2022 - HackerNoon Contributor of the Year - Management

Nominated for 2022 - HackerNoon Contributor of the Year - Management

Nominated for 2022 - HackerNoon Contributor of the Year - Best Practices

Too Long; Didn't Read

Developers: Build Less. Deliver More. [Learn how]	

What is Broken Access Control and Why Should You Care?

Too Long; Didn't Read

Anastasios Arampatzis

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

What is Broken Access Control and Why Should You Care?

Too Long; Didn't Read

Anastasios Arampatzis

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

RELATED STORIES