PranjalUncodes

Broken Access Control (OWASP Top 10)

Pranjal Ruhela's photo
Pranjal Ruhela

A broken access is the scenario when a website visitor is able to access the unathorized webpages and resources.

A broken access in a website can lead to sensitive information leakage, tampering with the desired functionality.

NOTE: Access control is not the same as authentication

https://www.youtube.com/watch?v=P38at6Tp8Ms

What in this video the guy is telling, is basically — if a webapp has a resource like an account page called “account_info” and if the attacker is able to put some query like a random id for an account and is able to access it — BROKEN ACCESS.

IDOR, or Insecure Direct Object Reference, is the act of exploiting a misconfiguration in the way user input is handled, to access resources you wouldn’t ordinarily be able to access. IDOR is a type of access control vulnerability.

For example, let’s say we’re logging into our bank account, and after correctly authenticating ourselves, we get taken to a URL like this https://example.com/bank?account_number=1234. On that page we can see all our important bank details, and a user would do whatever they needed to do and move along their way thinking nothing is wrong.

There is however a potentially huge problem here, a hacker may be able to change the account_number parameter to something else like 1235, and if the site is incorrectly configured, then he would have access to someone else’s bank information.

How to prevent Broken Access Control

Access control is only effective if enforced in trusted server-side code or server-less API, where the attacker cannot modify the access control check or metadata.

  • Deny access to functionality by default.
  • Use Access control lists and role-based authentication mechanisms.
  • Do not just hide functions.