What is an example of a broken access control?

An example of broken access control occurs when a web application improperly restricts access to sensitive functions or data, allowing unauthorized users to perform actions they shouldn't be able to.

What is an Example of a Broken Access Control?

A prevalent example of broken access control involves an application that secures its main administrative pages but neglects to properly protect subpages or specific actions within those sections.

Consider a scenario where an application robustly secures a primary admin dashboard, perhaps located at /admin, requiring strong authentication and authorization. However, for a critical subpage like /admin/deleteUser, the application might implement a weak access control check. Instead of verifying the user's role and permissions directly on the server side for each request to /admin/deleteUser, it might only check the Referrer HTTP header. The application would assume that if the Referrer header indicates the request came from /admin, then the user must be legitimate.

How Attackers Exploit This:

Attackers can exploit this vulnerability by falsifying or manipulating the Referrer header in their HTTP request. They can craft a request to /admin/deleteUser and manually set the Referrer header to /admin, effectively tricking the application into believing the request originated from the legitimate admin page. Since the application fails to perform a comprehensive server-side authorization check (e.g., verifying if the user truly has "delete user" privileges), it grants unauthorized access to the /admin/deleteUser functionality. This allows an attacker, who might not even be authenticated or is an authenticated low-privilege user, to delete user accounts, leading to severe security breaches.

This specific weakness demonstrates a critical flaw: relying solely on client-side or easily forgeable information for authorization decisions, rather than robust server-side validation.

Understanding Broken Access Control

Broken access control is a critical web application security vulnerability listed in the OWASP Top 10. It arises when an application fails to enforce appropriate restrictions on what authenticated users are allowed to do. This can lead to unauthorized information disclosure, data modification, or even complete system compromise.

Key Characteristics of Broken Access Control:

• Inadequate Enforcement: The application doesn't properly check user permissions for every action.
• Trusting Client-Side Data: Relying on data sent from the user's browser (like Referrer headers, hidden fields, or URL parameters) for authorization without server-side validation.
• Missing or Flawed Checks: Developers forget to implement access control checks, or the checks they implement are easily bypassed.

Types of Access Control Failures

Broken access control can manifest in various ways beyond the Referrer header example:

• Vertical Privilege Escalation: A low-privilege user gains access to functions or data intended for a higher-privilege user (e.g., a regular user accessing administrator functions).
• Horizontal Privilege Escalation: A user gains access to resources belonging to another user of the same privilege level (e.g., User A accessing User B's private documents by changing an ID in the URL).
• Context-Dependent Access Control Failures: The application allows an action that is only permissible under specific conditions (e.g., editing an order after it has been shipped).
• Missing Functional Level Access Control: Specific application functions are not protected, allowing any authenticated user to access them.
• Insecure Direct Object References (IDORs): Directly referencing objects (like database records, files, or directories) using a user-supplied input without proper authorization checks.

Impact and Consequences

The impact of broken access control can range from minor data exposure to complete system takeover:

• Data Breach: Unauthorized access to sensitive user data, business secrets, or intellectual property.
• Data Manipulation/Deletion: Attackers can modify, delete, or corrupt critical information, impacting data integrity.
• Reputation Damage: Loss of customer trust and severe brand damage.
• Financial Loss: Regulatory fines, remediation costs, and lost business opportunities.
• System Takeover: In severe cases, attackers can gain full control over the application or underlying infrastructure.

Solutions and Prevention Strategies

Preventing broken access control requires a layered and systematic approach:

• Implement Robust Server-Side Authorization Checks:
  • Always validate user permissions on the server for every request to a restricted resource or function.
  • Never rely solely on client-side data (like Referrer headers, JavaScript, or hidden input fields) for access control decisions.
• Principle of Least Privilege: Grant users only the minimum necessary permissions required to perform their tasks.
• Access Control Matrix/Policies: Define clear and explicit access control policies for different roles and resources.
• Use a Centralized Access Control Mechanism: Implement a single, robust mechanism rather than scattering access control logic throughout the application. This makes it easier to manage and audit.
• Deny by Default: Design access control such that all access is denied unless explicitly granted.
• Thorough Testing:
  • Penetration testing and security audits to identify access control flaws.
  • Automated tools to detect common access control vulnerabilities.
• Log Access Control Failures: Monitor and log all attempts at unauthorized access to detect and respond to attacks.
• Session Management: Secure session management ensures that session tokens cannot be easily hijacked or guessed.

By adopting these preventative measures, organizations can significantly reduce their exposure to broken access control vulnerabilities and enhance their overall application security posture.