• Sreelekshmi Chandralekha

OWASP Top 10 : Broken Access Control


The Open Web Application Security Project, or OWASP, is an international non-profit organization dedicated to Web Application Security. The OWASP Top 10 is a standard awareness document representing a broad consensus about the top 10 critical security risks to web applications. Learn more about OWASP Top 10 through this series of short blog posts.


OWASP Top 10 - Broken Access Control


What is Access control and how does it become broken?


Access control(Authorization) is a mechanism through which we can specify what data, functions, systems and resources are accessible to which users and groups. This is implemented by writing policies to specify the access privileges. In regard to web applications, access control is dependent on authentication and session management.


Broken access control occurs when there is a flaw in the implemented access control model and an user is able to bypass the control mechanism and access outside of their intended permissions.This vulnerability can be further exploited with the attacker trying to modify or delete content, perform unauthorized functions or even taking over a site by gaining administrative access.


Common attacks types here include Buffer or stack Overflow, Access Aggregation attack, Password attacks, Spoofing attacks, Social Engineering attacks, Smart Card attacks and Denial of Service attacks.


How does attacks due to broken access control impact businesses?


Unauthorized access to system functionality and resources creates a threat that opens your company to harmful and potentially expensive outcomes depending on the sensitivity of the data that application handles.


BAC leads to data leakage causing business loss, reputational damage, customer trust loss etc. If the data contains PII, PCI kind of sensitive data customers can also be exposed to fraud. It would be disastrous if the application belongs to a Government agency since it can even endanger National Security.


How does broken access control attacks occur?

  • Modifying the URL, state of an internal application, or the HTML page, or simply using a customized API attack tool.

  • Metadata manipulation, by reusing or modifying a JSON Web Token (JWT) or a cookie or a hidden field manipulated to elevate privileges, or abusing JWT invalidation.

  • Elevating privileges both horizontal and vertical

  • Accessing and exploiting old directories, cached pages, weak passwords or passwords that have not been changed when employees or employee roles change.

  • Backdoors can cause loss of system functionality because authorized access controls are bypassed.

  • CORS misconfiguration allowing unauthorized API access.

  • Proper account lockout mechanisms not implemented enabling attacker to carry out brute force attacks, birthday attacks etc


Past Victims

Many major business giants had been affected due to the lack of implementing a proper access control mechanism leading to weak authentication, missing functional level access control and session management.


The big names includes Kroger(tax and salary data for 431,000 people who filed tax forms online), Aerticket breach (data for 1.5 million German airline passengers breached), ClixSense breach(hackers obtained control over hosting servers and were able to gain access to sensitive back-end systems), Zoom, First American Financial Corp etc.


How to prevent attacks due to Broken Access Control:

Access Control should be enforced on the trusted server-side or server-less API, where the attacker is unable to modify the access control check or metadata.

  • Implement access control mechanism in accordance with your business needs and re-using them throughout the application, including minimizing CORS usage

  • Use Access control lists and also role-based authentication mechanisms

  • Deny access to functionality by default with exception of public resources

  • Disable web server directory listing and ensure file metadata and backup files are not present in webroot

  • JWT tokens should be invalidated on the server-side after logout

  • Rate limit API and controller access to minimize automated attacks

  • Creating multi-layered login-in processes and workflow accessibility

  • Monitoring activity for unauthorized personal-use web sites, telephone usage, and software installation, also log access control failures and alert admins when appropriate(like repeated failures)


Interested in learning how to know if your organization is vulnerable to attacks leading from Broken Access Control? Drop us a note now at sales@siemba.io