A5-Broken Access Control

Understanding Broken Access Control Risk

In the information technology society, web applications, which provide information via numerous services have appeared. While web applications have become a high visual appearance as well as service quality level, still the application security is in the second plan. In this blog, we will point to broken access control flaw, the most common problem in web security today.

Broken Access Control

Broken access controls are one of the OWASP top 10 web security risk list. This kind of attacks affect massive amount of web applications today. Here you can find the OWASP risk analysis result.

Broken Access Control

Exploitability: Occurs when the attacker changes the parameter value, which directly refers to a system object for which he is unauthorized

Security Weakness

  • The occurrence is common in applications and APIs where all user request privileges are not verified
  • Easy to detect with manual testing, but not open to automatic dynamic or static testing

Technical Impacts: Privilege escalation

It is common to come across applications, which go to the trouble of applying robust security mechanism for authentication management. The main factor, which squanders that investment is overlooking to figure effective access control strategies on them. The main reason that these vulnerabilities are so widespread is that verifying access control should be performed for each request and operations on a resource, which a user tries to perform at a certain time. Conceptually, this vulnerability is simple – The application allows the user to do something he/she should not be permitted to.

Access Control Overview

Access control deals with verifying which kinds of users possess certain rights and privileges. It is vital to have a clear access control policy as well as documentation to ensure this. The access control policies in a web application guarantee that only authorized person can able to perform security-sensitive functionalities. These policies generally verify user credentials before allowing actions such as navigating to sensitive pages or modifying the database. As the access controls are responsible for taking these key decisions, they should be considered as the defense mechanism.

The access controls can be implemented in three different levels. They are:

  1. Physical Access Controls – includes physical access limitations on what an authenticated user can do on a resource. Example: Locks, workplace separation
  2. Logical Access Controls – includes various software measures, biometric security features and sophisticated password programs to enforce access controls. Example: Encryption, passwords, tokens
  3. Administrative Access Control – Here, the policies and procedures are defined by the organization to implement entire access control. Example: policies & procedures, awareness training

The access control model can be implemented based on four different models. They are:

  1. Mandatory Access Control (MAC) – Involves strict restriction
  2. Discretionary Access Control (DAC) – Includes some space by defining privileges
  3. Role-Based Access Control (RBAC) – Includes strict controls based on roles
  4. Rule-Based Access Control (RBAC) – Offers some flexibility on roles with pre-defined rules

Common Access Control Vulnerabilities

When the access controls are defective, an intruder can compromise the whole application, taking control of admin functionality and misusing sensitive data that they are unauthorized to access. Here is the list of vulnerabilities that allow these changes to the attackers:

  • Bypassing verification of access control by changing the URL, the HTML page, internal application state or by using an attack tool.
  • Not restricting the others from viewing or modifying someone else’s record or account
  • Privilege escalation- Acting as an administrator when logged in as another user
  • Metadata manipulation with tampering or replaying to elevate privileges
  • CORS (Cross-Origin Resource Sharing) misconfiguration permits unauthorized access to the API


Let us analyse this flaw from practical prospect. Consider a page, which allows you to see source code of multiple pages.

see source code of multiple pages

Let’s analyse this further using Burp as a proxy server. Proxy captures the request, before it is sent to the server.

 Burp as a proxy server

Here, we simply change the file name to something sensitive. For example: Password file and ask parsing engine to show the contents of the same.

imply change the file name

Now, due to lack of authorization check of user input, the server will parse this query resulting in disclosure of sensitive content as shown in the below screenshot.

due to lack of authorization check

How To Defend Broken Access Control Vulnerability?

  • Explicitly verify the access controls needs for every chunk of application operation and document it. This requires comprising who can legitimately allow performing an action and what resources the user may access through the action
  • Drive entire access control decisions from the lower privileged user’s session
  • Employ a central application component for verifying access control
  • Verify every single request with this central application component in order to decide whether the request from the user is permitted to access the resources
  • Employ programmatic techniques to guarantee that there are no case of exceptions
  • For more sensitive functionalities like accessing administrative pages, add additional access restriction with IP address to enforce only users from certain network are permitted to access the resources, irrespective of their login status
  • Log each event where sensitive operation is performed that will help to detect and investigate if any access control breaches happen
  • Ensure prevention from forced browsing by providing access rights only to the users equal with their privileges.
  • Always test unprivileged roles or low-level access based on the information under separation of duties. You can capture and replay the privileged request to test the same.
  • Deny all by default that will treat everything not explicitly allowed is banned
  • Review the server/application from time to time to detect the holes in the access controls

On the whole, a better way to prevent this attack is by enforcing access controls throughout the application for each privileged page. Hope the information presented in this blog will be helpful to you.


Create your website with WordPress.com
Get started
%d bloggers like this: