Vulnerabilities: What is Broken Access Control and how to fix it

What is Access Control?

Before understanding the vulnerability, let's see what an access control is (Access Control).

Access control ( Access Control ) is a mechanism that specifies what information, functions or systems will be accessible to a particular user, group or role. That is, it is a way to control who can access certain resources , typically by using policies to specify access privileges.

In web applications, access control involves using protection mechanisms such as:

Authentication (verify user identity)

Authorization (check if the user has permission to access a resource).

What is a Broken Access Control?

The Broken Access Control vulnerability occurs when a failure or absence of access control mechanisms allows a user to access a resource that is outside of their intended permissions.

This vulnerability is one of the most common in websites and ranks No. 5 in the OWASP TOP 10 (Open Web Application Security Project).

Due to the number of errors related to access control, there are several vulnerabilities under the Broken Access Control category , some of them are:

IDOR (Insecure Direct Object Reference)

CSRF (Client-Side Request Forgery)

CORS (Cross-Origin Resource Sharing) misconfiguration

It has been classified by the CWE (Common Weakness Enumeration) as CWE-284: Improper Access Control. You can visit its technical sheet to know more specifications.

Broken Access Control Risks

The risks of this vulnerability depend on the interaction that the attacker manages to have with a company's server.

However, in the case of companies, it is common for occasions from information leaks to the alteration of sensitive or confidential data.

common case

Broken Access Control in administrative functions

A website allows administrators to list their users' emails from a URL similar to the following.

https://sitio-inseguro.com/admin/listar_mails

There could be two possible Broken Access Control scenarios here:

In the event that an unauthenticated user can access and obtain the list of e-mails.

In the event that an authenticated user who is not an administrator manages to access and obtain the list of mails.

In both cases, the application would be vulnerable.

Tips to prevent it

Preventing this vulnerability can be complex since there are many scenarios that can lead to it, however, there are good practices that you can implement to mitigate it, such as:

Check the implementation of correct access control, establishing roles and permissions to access resources.

Verify that access to resources by ID has an additional verification step that ensures the entry of authorized users

Deny access to your resources by default, unless you want them to be public.

What a Broken Access Control looks like in code

Suppose a website allows its users to register and post blog articles.

During this registration, the user must provide data such as their email and name, and site administrators can see this information from a menu (only accessible to administrators) that has the option "See all emails." This would be the resulting URL:

https://site-inseguro.com/admin/ver_todos_los_mails.php

And accessing here executes the following code:

The server effectively asks the user to log in to access the email list, however, it does not check their role or permissions.

Therefore, the application is vulnerable since an authenticated user but without permissions can access a functionality intended only for administrators .

Solution

The server should also check what roles or permissions the user has when accessing the resource. To do this, it would be necessary to modify the code so that it contains the following:

if (isset( $_SESSION [ 'loggedin' ]) && $_SESSION [ 'isadmin' ] == true )) {

load_emails();

}

else {

return_to_login();

}

In this way, any user who is not authenticated or who is not authorized (other than administrator), will be redirected to the Login page .

A pentest never hurts

Broken Access Control vulnerabilities are very common not only due to a lack of effective functional testing by developers, but also due to a lack of automated detection (static and dynamic review tools).

For this reason, carrying out an ethical hacking exercise (of the penetration testing type , manual intrusion tests or pentest ) is the most convenient and viable option to detect them in time and mitigate them at the root.

Conclusion

The Broken Access Control vulnerability usually appears when there are errors in the implementation of access controls.

Although it may seem like a simple and harmless vulnerability, its impact can be critical and the difficulty of finding it using automated tools can make it go unnoticed.

Consider following the good practices outlined above and periodically performing penetration tests to find this and any other types of vulnerabilities.

As vulnerabilities exist in the web3 spaces, Cypershield is one of the kinds of Security and Smart Contract audit company rendering exceptionally professional smart contract auditing services for varied Crypto projects. In the process of rendering your projects, full-on auditing services help you come over your smart contract vulnerabilities and reach a higher scale in the market.