#6 Broken Access Control — Security Basics

Before we talk about Broken Access Control, let’s get to grips with Access Control.

Access Control is the access control — including the right to access information in the system.

To give access to any information The system must first pass the following checks.

  • Identification refers to the identity that the user has to provide evidence (Identity) of their own identity such as username, password.
  • Authentication refers to authenticating that the person using the system is really that person or not.
  • Authorization refers to the authorization of the person through the process. Authentication And have the right to access the information in which part of the system?

What are the risks of Broken Access Control ???

It’s a limitation on what users are allowed to do, but the system is poorly protected, allowing attackers to exploit flaws to gain unauthorized access to functionality and data, such as user account access. Use of other people’s etc.

Such attacks range from collecting user credentials with the help of special tools to experimenting and simple URL manipulation. Essentially, corrupted access controls occur when unauthorized users can access files or Function

The basic way to take advantage of the application’s access control flaws is called “forced browsing”.

Let’s say that the website http://aaa.com It is a website that supports the authenticity of the user and the administrator will be taken to the appropriate webpage after validation. But if an attacker knows the URL, he or she can enter it in their browser, for example

http://aaa.com/admin_page or http://aaa.com/user_page

If it is a secure website, it will be redirected to the login page. But if those pages are allowed to be accessed, it will be incomplete access control and will cause damage.

The vulnerability continues to be a problem for large corporations, where attackers change URLs to gain unauthorized access to other user account pages.

The basic principle behind “forced browsing” extends to more complex attacks: poorly configured Cross-Origin Resource Sharing (CORS) is very vulnerable to similar attacks. Without proper protection, some applications may allow access to tokens such as session keys or JSON Web Token to manage and allow users to access special functions or other user accounts.

SAST and DAST are tools that can help detect which point of code doesn’t have access control. But I can’t tell if it’s working properly when it’s in use.

Is our application vulnerable ???

  • Skip validation by changing URL, app state, html page or using API attack tools.
  • Allow the primary key to be changed to a list of other users, to view or edit other people’s accounts.
  • Elevation Acting as a user without logging in or acting as an administrator when logged in as a user.
  • Metadata handling, such as Token modifications, JSON Web Token (JWT) access control, hidden cookies, or fields are manipulated for escalation or misuse of JWT.
  • CORS misconfiguration thus allows unauthorized access to the API.
  • Force webpages to be browsed unauthenticated, to privileged webpages as regular users, or to allow unauthorized access to the API.

Attack example

# 1: Applications use unauthenticated data to call SQL to access account data:

The attacker simply changes the ‘acct’ parameter in their browser to send whatever account number they want. If the app is unverified, an attacker can access any user’s account.

# 2: The attacker simply browses to the target URL and requires admin rights to access the admin page.

If a user who does not have permission but can access the admin page then the system is defective.

How to prevent and reduce risks ???

  • Implement a single access control mechanism and reuse the entire application as well as reducing the use of CORS.
  • Enforce ownership of the respective data
  • There is a requirement to use the domain to access
  • An additional layer of security is used to protect sensitive information.
  • Disable the web server directory listing and make sure the file’s metadata doesn’t appear on the web.
  • There is a log to notify the admin when an attempt is made to access the information without authentication.
  • The JWT token should be invalid after logout.

Words to know

  • Cross Origin Resource Sharing (CORS) is a mechanism that enables web servers to allow Or not allowed Requesting any resource on the page that was fetched from another domain. That is not the domain that the web page is in
  • Source Code Analysis Tools (SAST) are tools designed to analyze the source code and / or compile version of the code to help identify security flaws.
  • DAST is an automated tool that scans for vulnerabilities in third-party applications to find security vulnerabilities such as Cross-site scripting, SQL Injection, Command Injection, Path Traversal, and any configuration to unsafe servers.

If you have any doubts feel free to ping me in instagram.(__fazalurrahman__) — until you guys read my next blog


cybersecurity researcher 》 programmer 》web developer》 pentester 》hacker》 bug hunter