OWASP Top Ten 2017 | A5:2017-Broken Access Control
Learn about the impact and prevention of broken access control vulnerabilities. Prevent unauthorized access and privilege escalation with effective access control mechanisms.
Overview
This is a description of the OWASP Top Ten 2017 A5:2017-Broken Access Control vulnerability. It discusses the threat agents, attack vectors, security weaknesses, impacts, and the vulnerability detection and prevention methods.
Description
Access control is a critical aspect of application security that ensures users can only operate within their intended permissions. However, broken access control can lead to unauthorized access, information disclosure, and privilege escalation. This vulnerability is commonly exploited by attackers and is often not effectively detected or tested by developers. To mitigate this vulnerability, access control mechanisms should be implemented in trusted server-side code and server-less APIs. Other preventive measures include enforcing record ownership, minimizing CORS usage, and implementing access control unit and integration tests.
How to Prevent ?
To prevent broken access control vulnerabilities, the following steps can be taken: 1. Deny by default, except for public resources. 2. Implement access control mechanisms once and re-use them consistently. 3. Enforce record ownership in the access control model. 4. Enforce unique application business limits in domain models. 5. Disable web server directory listing and remove unnecessary file metadata. 6. Log access control failures and set up alerts for repeated failures. 7. Implement rate limiting for APIs and controller access. 8. Invalidate JWT tokens on the server after logout. 9. Conduct functional access control unit and integration tests.
Example Attack Scenarios:
Scenario #1: Unverified SQL Parameter: In this scenario, an attacker modifies the 'acct' parameter in a SQL call to access account information of other users. If the parameter is not properly verified, the attacker can access any user's account.
Scenario #2: Force Browsing to Unauthorized URLs: In this scenario, an attacker force browses to target URLs that should be restricted to admin permissions. If an unauthenticated user can access these URLs or a non-admin can access the admin page, it indicates a flaw in access control.