#6 Broken Access Control — Security Basics

Before we talk about Broken Access Control, let’s get to grips with Access Control.

Access Control is the access control — including the right to access information in the system.

To give access to any information The system must first pass the following checks.

What are the risks of Broken Access Control ???

It’s a limitation on what users are allowed to do, but the system is poorly protected, allowing attackers to exploit flaws to gain unauthorized access to functionality and data, such as user account access. Use of other people’s etc.

Such attacks range from collecting user credentials with the help of special tools to experimenting and simple URL manipulation. Essentially, corrupted access controls occur when unauthorized users can access files or Function

The basic way to take advantage of the application’s access control flaws is called “forced browsing”.

Let’s say that the website http://aaa.com It is a website that supports the authenticity of the user and the administrator will be taken to the appropriate webpage after validation. But if an attacker knows the URL, he or she can enter it in their browser, for example

http://aaa.com/admin_page or http://aaa.com/user_page

If it is a secure website, it will be redirected to the login page. But if those pages are allowed to be accessed, it will be incomplete access control and will cause damage.

The vulnerability continues to be a problem for large corporations, where attackers change URLs to gain unauthorized access to other user account pages.

The basic principle behind “forced browsing” extends to more complex attacks: poorly configured Cross-Origin Resource Sharing (CORS) is very vulnerable to similar attacks. Without proper protection, some applications may allow access to tokens such as session keys or JSON Web Token to manage and allow users to access special functions or other user accounts.

SAST and DAST are tools that can help detect which point of code doesn’t have access control. But I can’t tell if it’s working properly when it’s in use.

Is our application vulnerable ???

Attack example

# 1: Applications use unauthenticated data to call SQL to access account data:

The attacker simply changes the ‘acct’ parameter in their browser to send whatever account number they want. If the app is unverified, an attacker can access any user’s account.

# 2: The attacker simply browses to the target URL and requires admin rights to access the admin page.

If a user who does not have permission but can access the admin page then the system is defective.

How to prevent and reduce risks ???

Words to know

If you have any doubts feel free to ping me in instagram.(__fazalurrahman__) — until you guys read my next blog


cybersecurity researcher 》 programmer 》web developer》 pentester 》hacker》 bug hunter