Learnitweb

A01: 2021 – Broken Access Control

1. What is access control?

Access control is a security mechanism that regulates and restricts who or what can view, access, or modify resources in a system or application. Its primary purpose is to ensure that only authorized users or entities have access to specific resources, while unauthorized access is prevented. Access control is a foundational aspect of cybersecurity and plays a critical role in protecting sensitive data and systems.

After the server verifies your identity through a login or authentication process, it determines the level of access you are granted. This involves assigning or restricting your ability to use specific functions and resources within the system.

Such access control is often implemented using a roles-based mechanism, where permissions are associated with predefined roles. For example, a user with an “Admin” role may have full access, while a “Guest” role may have limited access. This approach simplifies managing permissions and ensures users have access appropriate to their roles.

Another way to manage access is using OAuth and JWT.

Elements of access control:

  • Authentication identifies the user and confirms that they are who they say they are.
  • Session Management identifies which subsequent HTTP requests are being made by the same user.
  • Access control determines whether the user is allowed to carry out the action that they are attempting to perform.

2. Different types of access controls

  • Vertical access controls: Vertical access control are mechanisms that restrict access to sensitive functionality that is not available to other types of users. For example, an administrator might be able to modify or delete any user’s account while an ordinary user has no access to these actions.
  • Horizontal access controls: Horizontal access controls are mechanisms that restrict access to resources to the users who are specifically allowed to access those resources. Horizontal access controls ensure that users can access only a specific subset of resources within the same category.
    For instance, in a banking application, a user is allowed to view transactions and perform actions such as making payments for their own accounts, but they are restricted from accessing or interacting with accounts belonging to other users.
  • Context-dependent access controls: Context-dependent access controls restrict access to functionality and resources based upon the state of the application or the user’s interaction with it. Context-dependent access controls restrict users from performing actions outside of the intended sequence. For example, a retail website may disallow users from altering the contents of their shopping cart once the payment process has been completed.

Access control is deeply integrated with the system architecture, making it a critical component of overall security design.

Managing access becomes increasingly complex as users often belong to multiple roles, necessitating careful planning and oversight. Consequently, building access control mechanisms from scratch is usually discouraged. Instead, proven and reliable solutions, such as OSS 2.0, are widely adopted in platforms like STACK to ensure secure and efficient access management.

2. What is Broken access control?

Broken Access Control is a security vulnerability that occurs when a system fails to properly enforce restrictions on what authenticated users or entities are allowed to do. This weakness allows attackers to bypass access restrictions, potentially gaining unauthorized access to sensitive resources, data, or functionality.

Broken Access Control refers to a collection of known vulnerabilities that pose significant risks to a system’s access control mechanisms.

Although many of these vulnerabilities are straightforward to exploit if overlooked, they are typically easy to address with proper attention. This is particularly critical because breaches in access control can lead to severe and potentially devastating consequences for the system and its users.

The technical impact of broken access control includes attackers impersonating regular users or administrators, exploiting privileged functions, or performing unauthorized operations such as creating, accessing, updating, or deleting records.

Once attackers gain access, they can manipulate data and systems to suit their objectives. The specific impact is difficult to quantify as it depends on the level of access obtained and which parts of the system are compromised, leading to varying degrees of severity.

Broken access control vulnerabilities are diverse and influenced by the technology stack and software architecture of the application, making it crucial to tailor security measures to the specific environment.

2. Common access control vulnerabilities

Common access control vulnerabilities include:

  • Violation of the principle of least privilege or deny by default, where access should only be granted for particular capabilities, roles, or users, but is available to anyone.
  • Bypassing access control checks by modifying the URL (parameter tampering or force browsing), internal application state, or the HTML page, or by using an attack tool modifying API requests.
  • Permitting viewing or editing someone else’s account, by providing its unique identifier (insecure direct object references)
  • Accessing API with missing access controls for POST, PUT and DELETE.
  • Elevation of privilege. Acting as a user without being logged in or acting as an admin when logged in as a user.
  • Metadata manipulation, such as replaying or tampering with a JSON Web Token (JWT) access control token, or a cookie or hidden field manipulated to elevate privileges or abusing JWT invalidation.
  • CORS misconfiguration allows API access from unauthorized/untrusted origins.
  • Force browsing to authenticated pages as an unauthenticated user or to privileged pages as a standard user.

3. How to Prevent?

  • Access control is only effective in trusted server-side code or server-less API, where the attacker cannot modify the access control check or metadata.
  • Except for public resources, deny by default.
  • Implement access control mechanisms once and re-use them throughout the application, including minimizing Cross-Origin Resource Sharing (CORS) usage.
  • Model access controls should enforce record ownership rather than accepting that the user can create, read, update, or delete any record.
  • Unique application business limit requirements should be enforced by domain models.
  • Disable web server directory listing and ensure file metadata (e.g., .git) and backup files are not present within web roots.
  • Log access control failures, alert admins when appropriate (e.g., repeated failures).
  • Rate limit API and controller access to minimize the harm from automated attack tooling.
  • Stateful session identifiers should be invalidated on the server after logout. Stateless JWT tokens should rather be short-lived so that the window of opportunity for an attacker is minimized. For longer lived JWTs it’s highly recommended to follow the OAuth standards to revoke access.
  • Developers and QA staff should include functional access control unit and integration tests.

4. Example Attack Scenarios

Scenario #1: The application uses unverified data in a SQL call that is accessing account information:

 pstmt.setString(1, request.getParameter("acct"));
 ResultSet results = pstmt.executeQuery( );

An attacker simply modifies the browser’s ‘acct’ parameter to send whatever account number they want. If not correctly verified, the attacker can access any user’s account.

https://example.com/app/accountInfo?acct=nomyacct

Scenario #2: An attacker simply forces browses to target URLs. Admin rights are required for access to the admin page.

 https://example.com/app/getappInfo
 https://example.com/app/admin_getappInfo

If an unauthenticated user can access either page, it’s a flaw. If a non-admin can access the admin page, this is a flaw.