SecNotes
  • All my notes
    • CyberSecurity challenges
    • CyberSecurity as a career
  • OWASP Top 10
    • Broken Access Control
  • CTF Cheatsheet
    • Windows Privilege Escalation
      • Methods and commands - Part 1
      • WinPrivEsc Methods and commands - Part 2
  • CC Examination Preparation
Powered by GitBook
On this page

Was this helpful?

  1. OWASP Top 10

Broken Access Control

No. 1 in the list of OWASP Top 10 (2021)

Broken access control vulnerability is a type of security flaw that allows an unauthorized user access to restricted resources.

Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of all data or performing a business function outside the user's limits.

  • Most of the time, web users are intended to click through the links which are inteneded to be clicked on the websites.

  • They can only navigate through the pages of the website which are shown to them.

  • In a worst scenario, If the url's are predictable by the users which are only intended for developers of the site, user can write scripts to periodically check potential URLs, and see whether new information is available.

Let us take an example of a website which contains files having path httpx://example.com/uploads/2015-Q1.pdf --> let us assume, this file contains some sort of document say, Quarter 1 financial report of the company which is only intended to be shared with specific people or stake holders of the company.

If the attacker somehow learn the path of the above file, he can simply manipulate the path of the file to 2015-Q2.pdf and download the financial report of quarter 2.

The unintended files are exposed to the external entity and this will create a huge impact on business. The threat of compromised access control is a valid concern, let's discuss ways to mitigate the issue.

Mitigation

Correctly applied access control rules are key to keeping your data secure. Almost all applications need to protect sensitive data and operations, so putting careful thought into how to restrict access is important when designing a system.

Depending on the sensitivity of the data that your application handles, the repercussions of broken access control can be very severe. Data leaks can cause reputational damage, cost your business financial penalties, make your customers vulnerable to fraud, and even endanger national security (if you work for a government agency). Below is the list of security measures must be practiced inordered to protect against this vulnerability.

Authentication - correctly identifying a user when they return to the application.

Authorization - deciding what actions a user should and should not be able to perform once they have been authenticated.

For example, normal users are seperated from admin users, they should not be able to access or do the operation of admin users.

Permission checking - evaluating authorization at the point-in-time when a user attempts to perform an action.

There are few guidelines must be followed for designing correct access control:

  • Decide what the biggest risks are to your organization, and focus on mitigating those risks.

  • Design and document your access control scheme upfront.

  • Attempt to centralize access control decisions in your codebase.

  • Test access control critically.

Some useful libraries of different prgramming languages can help mitigating the issues in the application.

Python

Ruby

Rails

Java

.NET

Node

Other considerations:

  • Content management system

  • LDAP

Coming up more in next pages. (Directory traversal and CSRF - Cross Site Request Forgery)

PreviousOWASP Top 10NextCTF Cheatsheet

Last updated 2 years ago

Was this helpful?

When evaluating whether a user should have access to a given resource, provide a very useful syntax. They can be used to check permissions before a function is called, and can be added to the code in a unobtrusive, declarative manner.

The gem is a very comprehensive authentication solution that allows you to pick-and-choose the features you want. It offers helper methods to perform access control decisions in controllers, in routing logic, or within template files, with the minimum of fuss.

is the industry standard for access control in Java. Permissions can be described dynamically or declaratively, and evaluated against URL paths or in code. JAAS is comprehensive, though relatively heavyweight. You may want to also evaluate the , and .

ASP.NET comes with a , that can be used to make access control decisions globally, on specific controllers, on particular functions within a controller, or at ad-hoc locations within the code.

and are mature libraries that focus on different aspects of access control: web server routing and the evaluation of access control rules, respectively.

🔗 😁

decorators
devise
Java Authentication and Authorization Service (JAAS)
Apache Shiro project
Spring Security
comprehensive authorization and authentication framework
MustBe
ACL
Not me
Sign up to our mailing list to receive updates!