Application Security Risk - Broken Access Control

Broken Access Control refers to vulnerabilities that allow unauthorized actors to gain access to sensitive information or perform actions they are not supposed to. This can be categorized into several common weaknesses:CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CWE-201: Insertion of Sensitive Information Into Sent Data
CWE-352: Cross-Site Request Forgery

• Common causes of Broken Access Control include:Violation of the principle of least privilege or deny by default. This means that access should only be granted to specific capabilities, roles, or users, but it is instead available to anyone.
• Bypassing access control checks by modifying the URL (parameter tampering or force browsing), internal application state, HTML pages, or by using attack tools to modify API requests.
• Allowing the viewing or editing of someone else's account by providing its unique identifier (insecure direct object references).
• Accessing APIs without proper access controls for POST, PUT, and DELETE operations.
• Elevation of privilege, such as acting as a user without being logged in or acting as an admin when logged in as a regular user.
• Manipulation of metadata, like replaying or tampering with access control tokens such as JSON Web Tokens (JWTs), cookies, or hidden fields to elevate privileges or abuse JWT invalidation.
• Misconfiguration of Cross-Origin Resource Sharing (CORS), which allows unauthorized or untrusted origins to access APIs.
• Force browsing to authenticated pages as an unauthenticated user or accessing privileged pages as a standard user.

Here are two scenarios that illustrate Broken Access Control vulnerabilities:

Scenario #1: The application uses unverified data in a SQL call that accesses account information:

java
pstmt.setString(1, request.getParameter("acct"));
ResultSet results = pstmt.executeQuery();

An attacker can simply modify the browser's 'acct' parameter to send any account number they want. If this input is not properly verified, the attacker can access any user's account by manipulating the URL:
arduino
https://example.com/app/accountInfo?acct=notmyacct

Scenario #2: An attacker can force browse to target URLs that should be restricted to certain user roles. For example, access to the admin page requires admin rights:

ruby
https://example.com/app/getappInfo
https://example.com/app/admin_getappInfo

If an unauthenticated user can access either of these pages, it indicates a flaw. Similarly, if a non-admin user can access the admin page, it is also a security vulnerability.

Prevention Measures:

• To prevent Broken Access Control vulnerabilities, follow these best practices:Implement access control mechanisms in trusted server-side code or serverless APIs, where attackers cannot modify the access control check or metadata.
• Except for public resources, adopt a deny-by-default approach, meaning that access is only granted to specific resources and actions.
• Implement access control mechanisms once and reuse them consistently throughout the application. Minimize the usage of Cross-Origin Resource Sharing (CORS).
• Ensure that access controls enforce record ownership, rather than assuming that users can create, read, update, or delete any record.
• Enforce unique application business limit requirements using domain models.
• Disable web server directory listing and remove sensitive file metadata (e.g., .git) and backup files from web roots.
• Log access control failures and alert administrators when appropriate, such as in cases of repeated failures.
• Implement rate limiting on API and controller access to mitigate harm from automated attack tools.
• Invalidate stateful session identifiers on the server after logout. If using stateless JWT tokens, ensure they have a short lifespan to minimize the attacker's window of opportunity. For longer-lived JWTs, it is highly recommended to follow the OAuth standards for token revocation and management.
• 
  
• By following these preventive measures, you can enhance the security of your application and mitigate the risk of Broken Access Control vulnerabilities. Regular security assessments and testing should also be conducted to identify and address any potential weaknesses in access control mechanisms.
• 
  
• It is crucial to prioritize security during the development process and ensure that access controls are implemented correctly and consistently. This includes ongoing monitoring and updates as new vulnerabilities and attack techniques emerge.
• 
  
• Remember, access control is a critical aspect of protecting sensitive information and preventing unauthorized access. By implementing robust access control measures, you can significantly reduce the risk of data breaches and unauthorized activities within your application.