Owasp Top 10:A5: Broken Access Control (Impact & Mitigation)
what is Broken Access Control?
Broken access control is a very common and very vulnerable vulnerability. Many sites have the potential to accidentally provide access to unauthorized visitors who just cut out a URL that seems to be unsafe and paste it into a browser.
Access control, sometimes called authorization, is how a web application provides access to content and features for some users, not for others. These checks are performed after authentication and determine what “authorized” users are allowed to do. Access control sounds like a simple problem, but it is difficult to implement correctly. The access control model of the web application is closely related to the content and functions that the site provides. In addition, users can fall into a number of groups or roles with different abilities or privileges.
Developers often underestimate the complexity of implementing a reliable access control mechanism. Many of these schemes were not specifically designed, but simply developed along with the website. In these cases, access control rules are inserted in different places throughout the code. As the site approaches deployment, a special collection of rules becomes so cumbersome that it is almost impossible to understand
Many of these incorrect access control schemes are easy to detect and use. Often, all that is required is to create a request for features or content that should not be provided. Once a defect is discovered, the consequences of an incorrect access control scheme can be devastating. In addition to viewing unauthorized content, an attacker can change or delete content, perform unauthorized functions, or even take over the administration of the site.
Technical impact of Broken Access Control
Technical effect: intruders acting as users or administrators, or users using privileged functions or creating, accessing, updating, or deleting each record.
The business impact of Broken Access Control
The impact of the Broken Access Control depends on whether there are useful files found by the attacker and also the permissions of the user running the web application. The kind of thing that could prove particularly problematic is configuration files in predictable locations which contain usernames/passwords which allow an attacker to get additional access.
Mitigation for Broken Access Control
If you’re an API, you’ll be able to get an access control code or API API code.
Except for public resources, you are declined by default. Implementing access control mechanisms throughout the application, including minimizing Cross-origin resource sharing use.
Access control for registration can not accept records, properties, read, update, or delete any records. The business application boundary requirements should not be applied by domain models.
Disable a list of web server directories and make sure you have file metadata and backup files. Records access control errors, notifies administrators when applicable.