Recently, OWASP (the Open Web Application Security Project) announced an update of their “Ten Most Critical Web Application Security Risks.” OWASP is a nonprofit organization devoted to helping create a more secure internet and the list is considered an important benchmark. (The new 2017 list is currently in the comments phase.)
This is one of a series of articles exploring each point on OWASP’s list and what can be done to mitigate their dangers. “Broken Access Control” is number 4. This year, OWASP has merged “Insecure Direct Object References” and “Missing Functional Level Access Control” into “Broken Access Control,” a more universal catchall for the different types of access control weaknesses formerly addressed individually on the 2013 list. (“Broken Access Control” was also the original category name in 2003 and 2004.) This made room for “Insufficient Attack Protection” and “Unprotected APIs” (which took the place of the removed “Unvalidated Redirects and Forwards.”)
Broken access control is used to describe vulnerabilities related to user authorization. Websites need to allow certain permissions for basic/public users and must also have an administrator who can allow or deny certain privileges to others.
This seems simple, but it can quickly become complex. Developers often underestimate the need for consistency and, as a site evolves, they end up having ad-hoc rules throughout the code. In addition, various users may need different levels of authorization, further complicating the system.
OWASP says broken access control is a threat that is easily exploitable and widespread, as many websites allow unauthorized users to access areas of the site with a simple cut and paste into the browser. Once they’re in, hackers can access other users’ accounts, view data, change permissions, and essentially take over the system as an admin.
To determine the appropriate methodology for restricting access control, OWASP advises doing a risk assessment. From there, all companies should implement an access control policy that must be followed by all IT personnel. This should include using reference maps or access control checks, limiting function requests to authenticated users, and automating verification.
“The intention of having an access control policy is to ensure that security requirements are described clearly to architects, designers, developers, and support team, such that access control functionality is designed and implemented in a consistent manner,” the OWASP website states.
In order to raise awareness of the importance of OWASP’s recommendations, Infosec Institute has created special learning modules in its AwareED portal, including one on broken access control.
This is just a small part of the SecurityIQ program, which is designed to educate employees and to detect weaknesses in a company’s defenses against cyber-criminals.
If you sign up today, you get 30 days premium access, which includes unlimited learners, free!