The Open Web Application Security Project (OWASP) announced a major update to their Ten Most Critical Web Application Security Risks list in 2017. Last updated in 2013, OWASP’s list is considered an important reference document for both developers and managers. After two drafts and public commentary, the final 2017 version was released in November.
Newly added in 2017, broken access control is ranked fifth on OWASP’s web application security risk list. It includes insecure direct object references (listed fourth in 2013) and missing functional level access control (listed seventh in 2013).
What Is Broken Access Control?
For operational purposes, every website must grant permissions to administrators, and in some cases, users. Admins control and modify content and users can interact as they are allowed, e.g., create an account. This functionality is helpful until it falls into the wrong hands; thieves can manipulate information, steal money or data and even lock out the legitimate owners.
Access control may start out strong but weaken a site grows. As rules are written into the new code, inconsistencies can appear. If different access levels are needed or added, it can further complicate the issue.
Broken access control is very common and highly exploitable; many sites may unwittingly grant unauthorized visitors access who simply cut and pasted a supposedly secure url into their browser.
How Can I Detect Broken Access Control?
First, examine your access policies. Do you have a written guideline that outlines the various permissions needed, as well as a design document that helps you enforce this? If not, you are likely vulnerable.
Both code review and penetration testing are necessary to highlight the specific points where these vulnerabilities exist. You also want to understand how users and administrators access the site, which is often done through a remote access portal. A thorough audit of permissions granted and accessible data is also essential.
How Can I Prevent Broken Access Control?
Access control should be implemented and enforced through an access control matrix, which will define rules for each type of user. These access points should be rigorously tested by creating different accounts and attempting to access unauthorized areas.
Other recommendations include:
- Check permissions of individual files, not just directories. Make sure configuration files, default files and scripts are not accessible to the public. Limit directory access and executable files as well.
- Restrict caching. Client-side caching helps speed up websites, but this information could be re-accessed by others. Use http headers and meta tags to prevent restricted pages from reloading.
- Don’t rely on “presentation access control.” The elimination of a navigation button won’t prevent hackers from getting there. Make sure every page is authenticated.
- Use OWASP’s Zed Attack Proxy Project (ZAP). This is a free, open-source security tool for finding vulnerabilities in applications.
- Limit remote administration permissions as much as possible.
How is Broken Access Control Used In Attacks?
Consider the following attack scenarios:
- In 2012, hackers gained access to the IRS’s South Carolina servers through a default admin password, stealing 3.6 million social security numbers.
- A website that lists its user role in the url, e.g., http://website/user/account. A hacker could simply change the url to http://website/admin/account and bypass any passwords or other checks.
- A brute force password attack could crack an admin panel that has a weak or default password.
- Insecure direct object references are variables that can be manipulated by the recipient and used to retrieve more data. For example, a user may able to obtain a list of passwords or access other files with simple commands in the url window.
How Can I Learn More About Secure Coding & Pentesting?
Infosec Institute offers secure-coding modules for developers through its security awareness training platform, SecurityIQ, including a module on broken access control. These modules will help you further understand and implement OWASP’s recommendations.
SecurityIQ integrates security awareness training, phishing simulations and personalized learning in one platform. It evolves with employees’ security aptitudes, roles (including web development) and learning styles to create a personalized and engaging learning experience. You can trial training modules in SecurityIQ with a free account. Learn more here.
If you’d like to learn more about detecting web vulnerabilities like broken access control, check out InfoSec Institute’s new Mobile and Web Application Penetration Testing Boot Camp.