Introduction
The "OWASP Top 10" lists the top ten most critical web application security risks, and "Broken Access Control" currently enjoys the top position in this list.
You can see the 2021 Top 10 here: https://owasp.org/www-project-top-ten/
The details of "Broken Access Control" are on this page
Quoting from the above page
A01:2021-Broken Access Control moves up from the fifth position; 94% of applications were tested for some form of broken access control. The 34 Common Weakness Enumerations (CWEs) mapped to Broken Access Control had more occurrences in applications than any other category.
This is quite a striking figure - 94%!!
Also, check out mitre.org's search on the same. There are quite a few found in 2022/23
If you use any software from the above list with the affected version, ensure you have patches installed.
So let's understand first what "Broken Access Control" means.
Broken access control is a security vulnerability that occurs when a system or application does not properly enforce restrictions on what resources a user is authorized to access. This can result in unauthorized access to sensitive data or functionality, leading to various security issues, such as data breaches, theft of intellectual property, or the compromise of user accounts.
Access control is the process of determining whether a user or entity is authorized to access a particular resource or perform a specific action. Access controls can take many forms, such as authentication (verifying a user's identity), authorization (granting or denying access to resources based on the user's identity and permissions), and auditing (tracking and monitoring user activity to detect and prevent unauthorized access).
When access controls are broken or bypassed, attackers can gain access to sensitive data or functionality that they should not have access to. For example, if an application allows users to access sensitive information or perform privileged actions without proper authentication or authorization, attackers could exploit this vulnerability to steal data, tamper with the application, or escalate their privileges to gain further access to the system.
Examples of Broken Access Control vulnerability
There are several examples of broken access control vulnerabilities that can occur in software applications or systems. Here are some examples:
Horizontal privilege escalation: This occurs when a user is able to access resources or perform actions that should only be available to another user with higher privileges. For example, if a regular user is able to view or modify another user's data without proper authorization, this would be considered a horizontal privilege escalation vulnerability.
Vertical privilege escalation: This occurs when a user is able to access resources or perform actions that should only be available to a user with higher privileges, such as an administrator. For example, if a regular user is able to escalate their privileges to gain administrative access to a system, this would be considered a vertical privilege escalation vulnerability.
Insecure Direct Object References: This occurs when an application fails to properly validate user input, allowing an attacker to access or modify resources they should not have access. For example, if an application uses sequential ID numbers for resources and fails to validate user input properly, an attacker may be able to access or modify data by guessing or manipulating the ID numbers.
Access Control Bypass: This occurs when an attacker is able to bypass access controls by exploiting vulnerabilities or weaknesses in the access control mechanisms themselves. For example, if an application uses predictable or easily guessable access tokens or cookies, an attacker may be able to hijack these tokens to gain unauthorized access.
Failure to Restrict URL Access: This occurs when an application fails to properly restrict access to specific URLs or endpoints properly, allowing an attacker to access resources or functionality that should not be publicly available. For example, if an application exposes administrative functionality through an unprotected URL, an attacker may be able to access and abuse this functionality.
These are just a few examples of broken access control vulnerabilities that can occur in software applications or systems. It's important for developers and security professionals to be aware of these vulnerabilities and take appropriate measures to mitigate the risks associated with them.
Some major cyber-attacks owing to Broken Access Control
Here are some examples we have seen directly or indirectly owing to this vulnerability.
Capital One Data Breach: In 2019, Capital One suffered a massive data breach that exposed the personal information of over 100 million customers and applicants. The breach was caused by a broken access control vulnerability in the company's web application firewall, which allowed an attacker to gain unauthorized access to sensitive data.
Yahoo Data Breaches: Yahoo suffered two major data breaches in 2013 and 2014 that exposed the personal information of all 3 billion user accounts. The breaches were caused by a combination of factors, including a broken access control vulnerability that allowed attackers to steal Yahoo's user database.
Marriott International Data Breach: In 2018, Marriott International suffered a data breach that exposed the personal information of up to 500 million customers. The breach was caused by a broken access control vulnerability in the company's Starwood reservation system, which allowed an attacker to gain unauthorized access to sensitive data.
While these incidents are only a few examples, they demonstrate the serious impact broken access control vulnerabilities can have on organizations and their customers. It's important for organizations to prioritize access control and take proactive steps to identify and mitigate these vulnerabilities to prevent future incidents.
How to fix "Broken Access Control"?
Fixing broken access control vulnerabilities typically requires a multi-step process that involves identifying the vulnerability, understanding the root cause, and implementing appropriate controls to prevent future occurrences. Here are some general steps that organizations can take to fix broken access control vulnerabilities:
Identify the vulnerability: The first step in fixing broken access control vulnerabilities is identifying where they exist. This can involve conducting vulnerability assessments and penetration testing to identify weaknesses in access control mechanisms.
Understand the root cause: Once vulnerabilities have been identified, it's important to understand the root cause of the issue. This may involve reviewing code, architecture, and design to understand how access controls are implemented and how they can be bypassed.
Implement appropriate access controls: Based on the root cause analysis, organizations can implement appropriate access controls to prevent future vulnerability occurrences. This may involve updating access control policies, implementing two-factor authentication, or enforcing the principle of least privilege.
Monitor for and detect unauthorized access attempts: It's important to monitor systems for suspicious activity, such as repeated failed login attempts or unusual access patterns, and promptly investigate any potential incidents.
Regularly test and assess access controls: To ensure the ongoing effectiveness of access controls, organizations should regularly test and assess their systems for vulnerabilities and update controls as necessary.
It's worth noting that fixing broken access control vulnerabilities can be a complex and time-consuming process, particularly if the vulnerabilities are deeply embedded in an organization's systems or applications. It's important for organizations to prioritize this issue and work with security experts to develop a comprehensive plan for addressing broken access control vulnerabilities.