Broken Access Controls are a leading cause of breaches
In the cyber security world whether you’re a small business or large enterprise web application vulnerabilities are always a hot topic of discussion. Whenever the topic arises it’s usually not long until the OWASP Top 10 is discussed as well. OWASP, officially known as the Open Web Application Security Project, has been cranking out their Top 10 list since 2003. This list contains the 10 most critical types of vulnerabilities affecting web applications at the time of writing.
With web application security making its way to the forefront of the cyber security world recently it’s great timing that OWASP released an updated Top 10 list in September of 2021. The list organizes and succinctly displays the most relevant and prevalent web application threats we face today.
How do these vulnerabilities affect your business? What enables them to be vulnerable and how are they exploited? Most importantly, should you be concerned? In this new series we’ll be breaking down each of the OWASP Top 10 categories and explain how they work, how they’re exploited, and how to remediate them.
Let’s begin.
First up on the Top 10 list is broken access control. These types of vulnerabilities generally lead to an attacker being able to access data they shouldn’t due to bypassing controls or not adhering to the principle of least privilege.
OWASP lists the following as common access control vulnerability examples:
- Violation of the principle of least privilege or deny by default where access should only be granted for particular capabilities, roles, or users, however, is available to anyone.
- Bypassing access control checks by modifying the URL through parameter tampering or force browsing, internal application state, or the HTML page, or by using an attack tool modifying API requests.
- Permitting viewing or editing someone else’s account, by providing its unique identifier (insecure direct object references)
- Accessing API with missing access controls for POST, PUT and DELETE.
- Elevation of privilege. Acting as a user without being logged in or acting as an admin when logged in as a user.
- Metadata manipulation, such as replaying or tampering with a JSON Web Token (JWT) access control token, or a cookie or hidden field manipulated to elevate privileges or abusing JWT invalidation.
- CORS misconfiguration allows API access from unauthorized/untrusted origins.
- Force browsing to authenticated pages as an unauthenticated user or to privileged pages as a standard user.
Access control should enforce policy so that users are not able to act outside of their intended permissions. Failures of this control often lead to unauthorized information disclosure, modification, or destruction of all data.
All these vulnerabilities are focused on an attacker being able to access information or interact with the application outside of their privileges, if any are given at all. Commonly, attackers can test for and exploit vulnerabilities in this category by inserting payloads (SQL, JavaScript, header manipulation, etc.) into vulnerable parameters, forms, or the URL itself. When the page is visited or submitted with these malicious parameters, they are embedded into the POST request and sent to the server for processing. If access control is indeed broken the server will then respond with what the attacker requested potentially disclosing sensitive information. In essence, vulnerabilities in this category are especially potent because attackers can leverage these to elevate privileges or enumerate and exfiltrate normally inaccessible information that could be sensitive.
Attackers can use broken access controls to breach your business
An example of this could be an attacker attempting to escalate their privileges to an Administrator on a vulnerable application. Let’s assume we have an application that hosts our customer’s information and there is a simple login webpage. By fuzzing the URL, a technique used to identify hidden file paths, we can find the administrative panel’s URL which is accessible. This is a flagrant example of bad access control.
Instead of having to guess the administrator’s password, we can simply bypass the login screen completely by directly accessing the URL that a successful login would lead to anyway! To successfully exploit this, we need the original URL to start with.
Enhanced Security & Automated Compliance Platform
Example of Broken Access Controls
As an example, let’s use the URL below where the login page is located:
https://abc.com/login.html
Given our fuzzing results we know that the administrative portal is located at /.admin-panel.html. We can now simply navigate to the URL below and completely bypass the login page as well as access and interact with the panel. This would allow the attacker to access customer data, create their own account, and more.
https://abc.com/.admin-panel.html
If the data held within the affected application is important, such as our example above, your company may suffer irrefutable reputational harm or damages due to these being exfiltrated. Because of this, it is extremely important to regularly test for and remediate broken access control vulnerabilities.
Remedy Broken Access Controls
Foresite cybersecurity experts put themselves in the shoes of a would-be attacker to test for these types of vulnerabilities. These simulated attacks use the same approach a hacker would use and attempt to exploit many vulnerabilities to gain a better understanding of the actual security posture of the application. This process begins with information gathering and enumeration to determine which parameters are vulnerable. From here, the consultant will begin exploiting found vulnerabilities with the goal of attaining full control of the application. The consultant will then generate a detailed report of their findings including any vulnerabilities found along with exploitation notes. This proactive approach allows businesses and organizations to understand and remedy weaknesses before attackers have the opportunity to exploit them.
If you’re concerned you may be affected by any of these types of vulnerabilities contact us to learn more about how Foresite can help you scan for and remediate access control vulnerabilities.
Tristin Zeman
Tristin Zeman is the Digital Marketing Manager at Foresite. For the past 10 years, she has helped organizations of all sizes create and scale marketing programs through digital and traditional marketing channels and efficient marketing operations.
