yellow pencil on gray wooden surface
Wed Mar 08

How to Prevent Broken Access Control?

Broken access control has now become the most critical OWASP vulnerability, moving up from its previous fifth position. With 94% of web applications affected by this vulnerability, it has become a top concern for organizations. So, what is broken access control vulnerability?

What is Broken Access Control?

Before defining what broken access control really is, let’s talk about the access control first. Access control refers to the process of determining which users, applications, or systems will have access to different resources and restrict access to everyone outside the intended groups. Failure to do this may lead to severe consequences, including information disclosure, data modification, or destruction, or operations outside the user’s scope. This vulnerability is known as broken access control, and it can lead to disastrous outcomes for organizations if left unaddressed.

Example of Broken Access Control

Take an example of an e-commerce website. There is a common practice for limiting the unauthenticated (guest) account access in a web application. Users or the authenticated ones have more access to the functionality and features of the application, such as buying and selling goods, doing transactions and many more in comparison to guests.

Broken access control happens when guests are able to obtain information from the authenticated users or even worse from the admin account which is supposedly only accessible by the owner. In some cases, the authenticated user may have access to the information belonging to another user due to misconfiguration. Guests and or users shouldn’t also be able to access the admin only page.

Access control issues

There are some specific access control issues.

Violation of the least privilege

There is a concept known as PoLP (Principle of Least Privilege) where the users and the processes are only given the necessary permission for the information and resources for legitimate purposes.

This concept is essential and known to be advantageous for the reasons of system stability and security. When this principle is violated due to various reasons, it can result in significant security flaws, widening the attack surface for potential attackers. Therefore, it is crucial to implement proper access control measures.

API tampering

Access control checks are essential to ensure the resources are accessible for authorized users only. The attacker may try to modify the API requests that are being sent by the frontend to the server. If not properly configured, the attacker may obtain internal information data and servers that are not supposed to be accessible by the public.

IDOR (Insecure Direct Object Reference)

Despite its intimidating name, IDOR is simple, yet tons of web applications have this vulnerability and have very serious consequences. IDOR occurs when an application exposes references to the internal object to the users. In this case, the malicious actor may also be able to view or arbitrarily edit someone else’s account information.

Privilege escalation

This is mainly the case in a computer or server, network and application, when the user (or attacker) is gaining elevated privileges that he/she originally have. In a Linux machine, the attacker will target the root account to access sensitive information or simply do malicious activities.

In this case, the attacker is trying to do vertical privilege escalation, in order to gain administrative access to the machine. Alternatively, the attacker may also try to gain access to another machine within the same network who has the same level privilege he/she currently is, known as horizontal privilege escalation.

Metadata manipulation

An attacker can target authorization features like sessions, tokens, or cookies without having to steal the actual user login credentials. Manipulating these features using known techniques such as replay attacks, session hijacking (also known as sidejacking), golden ticket attacks, and JWT attacks can grant unauthorized access to web applications that rely on these defense mechanisms. It’s important to be aware of these vulnerabilities and take appropriate measures to protect against them.

Broken Access Control Prevention

Implementing effective access control is crucial to prevent potential security risks in the future.

Deny by default

Access to a system, application, network, and resources should be denied by default and only be granted if explicitly defined. This ensures that only authorized users have access to resources.

For example, a firewall can be set to deny all incoming and outgoing traffic and allows only essential ports by defining it explicitly. Thus reducing the attack surface significantly and making it harder for attackers to penetrate into the system.

Enforce resource ownership

The available resources should be assigned with the specific ownership who is responsible for controlling and managing the resource. This is essential for maintaining data confidentiality, integrity, and availability. Enforcing ownership helps organizations to track who has access to those resources and at the same time, ensuring access to authorized individuals only.

Disable web directory listing

While configuring the web server, avoid displaying or exposing the contents of a directory to the public. Directory listing could potentially reveal sensitive information about the website’s structure and content. Even the slightest information such as the operating system being used can give the idea to the attacker of how the attack should be conducted.

API rate limit

It is also essential to limit the number of requests made by the API within a certain period of time. Without limiting the API rate, automated tools can be executed in a large quantity at a time, causing server instability which is common in DDOS and brute-force attacks. Rate limiting is effective in preventing brute-force attacks, which involve an attacker attempting to guess passwords through a trial-and-error process until they are successful cracking the password.

Invalidate stateful identifiers

Any stateful identifiers like sessions need to be invalidated once the session between server and client has ended. If not, the attacker might be able to steal this and therefore be able to reopen the existing session to communicate with the server.

Make stateless authorization short-lived

Using short-lived tokens can significantly reduce the time period during which an attacker can exploit a vulnerability. By limiting the validity period of tokens, even if an attacker manages to obtain one, they will have a limited window of opportunity to use it. This approach can help to minimize the impact of a security breach and reduce the risk of sensitive data being compromised.

While handling the self-encoded tokens that require refresh token, it is also important to block any refresh token requests from the client as well. Just like a session, the application’s refresh token needs to be invalidated along with the access token. When the refresh token is revoked, any attempts by the application to refresh the access token will be denied, effectively preventing the retrieval of a new access token

Conclusion

Broken access control seems like a trivial issue to begin with but the impact can be disastrous. Although it may appear insignificant at first, a vulnerability in access control can lead to severe consequences, such as unauthorized access to sensitive information, data breaches, and even financial losses for both individuals and organizations. Therefore, it’s crucial to address and mitigate this issue as soon as it’s discovered.

You might like

Meilisearch vs Elasticsearch: Which One Should You Choose?

Trying to decide between Meilisearch vs Elasticsearch? This comprehensive comparison will help you choose the best search engine for your website or application. Learn about the features, performance, ease of use, and more of Meilisearch and Elasticsearch. Make an informed decision and boost your search results today.
What is /dev/null in Linux?

Discover the purpose and functionality of /dev/null in Linux. Learn how to discard unwanted data, silence output, and efficiently manage system resources. Explore the null device in the Linux file system.