What is Broken Access Control Vulnerability And How to Prevent it
The article discusses the significance of the Broken Access Control vulnerability in software security, its types and examples, and offers prevention strategies. It emphasizes the importance of proper access control checks, input validation, and code defense to safeguard applications against unauthorized access and potential attacks.
August 31, 2023
Broken Access Control vulnerability is a very critical software security flaw. In fact, it was 5th on the OWASP top 10 web application security risk in 2017. The popularity of Broken Access Control even increased in 2021 as it moved to the 1st spot on the OWASP top 10 list that year.
In this post, we’ll explain what the Broken Access Control vulnerability is and how you can prevent Broken Access Control in your application.
What is Broken Access Control?
Broken Access Control is a type of application security vulnerability that enables users to access data and functionalities that they should not have access to. In most cases of Broken Access Control attacks, a malicious user takes advantage of weak or non-implementation of access control in the target application.
There are many forms of Broken Access Control vulnerability. One instance is a regular user of a web application being able to access the Admin page due to poor access control implementation. This user can now go ahead to perform tasks like deleting all data or accessing sensitive user data such as email addresses of all users.
Examples of Broken Access Control Attacks
Attackers use different techniques to exploit applications vulnerable to Broken Access Control. The following are examples of how users can access protected data without appropriate permissions:
- URL Manipulation: A simple way to attack a vulnerable website is by manipulating URL parameters to gain unauthorized access to pages and data. For example, in an e-commerce website, the URL for viewing the current user's shopping cart includes the user’s ID in a query parameter, an attacker may alter the value of this ID to view the cart for another user.
- Exploiting Endpoints: An endpoint here is basically URLs on a website that do not receive HTTP requests directly from the user. Instead, actions like users submitting HTML forms send requests with payload to the endpoint. The frontend code of a website can also send HTTP requests to an endpoint in order to interact with the backend. An attacker can exploit these endpoints by sending HTTP using different tools. They can use this method to write or read data to or from an insecure endpoint.
- Elevating User Privilege: In this case, the attacker has access to a normal user account, but they go ahead to manipulate their access control tokens and cookies to elevate their access. For example, the attacker can upgrade their normal account to admin and access admin features if there are no further checks or validations in place.
Types of Broken Access Control Vulnerability
- Insecure Direct Object References: In this type of vulnerability, an attacker can exploit a website by specifying the unique identifier (ID) for resources to access resources that they should not access. This can be done by modifying values in the URL parameters or other user input systems.
- Violation of the Principle of Least Privilege: The principle of least privilege is a computer security concept that states that a user should be granted access to only the resources that they need to do their work. The violation of this concept will grant users like regular users access to admin features and other resources they do not have any business accessing.
- Access Control Checks Bypass: Here a user exploits a vulnerable website using code injection attacks like SQL Injection and Cross-Site Scripting (XSS). The malicious code the user injects will break or bypass existing access control features on the website.
How to Prevent Broken Access Control Vulnerability
There are many steps you can take to prevent wrong access to protected data and features on your website. Usually combining as many of these steps as possible on your website can reduce the risk of attacks to a great extent. The following are some steps you can take to prevent Broken Access Control vulnerability:
- Always verify user inputs such as data from HTML forms and URL query parameters. For instance, in our shopping cart example earlier, verifying the user ID in the URL belongs to the current user signed in can prevent the attack. You should also verify JWT access control tokens.
- Block access by default and only grant access after verification ( Principle of Least Privilege).
- Prevent code injection on your website and backend by setting up mechanisms to defend your application against attacks such as SQL injection and XSS.
- Overall, set up proper access control checks and test your code extensively for vulnerabilities at different stages of development.
Broken Access Control is a serious security vulnerability and it is important to consider it throughout the development and testing processes in your application.
You can reduce the possibility of this vulnerability in your application by setting up a more secure user authentication and access management system. Authgear provides a secure authentication-as-a-service solution that makes it easier to add user authentication to websites and mobile applications. You can learn more about Authgear and try it for free here.