Broken Access Control

Broken access control is describe as vulnerabilities related to user authorization. Websites need to allow certain permissions for public users and must have an administrator who can allow or deny certain privileges to others users.

Example

An attacker force browses to target URLs. Admin rights are required for access to the admin page.

        http://example.com/app/app_image

        http://example.com/app/admin_Page

    

If an unauthenticated user can access either of the pages it’s a flaw. If a non-admin can access the admin page that is also a flaw.

Impact

  • Allowing the primary key to be changed to another users record and permitting viewing or editing someone else’s account.

  • privilege escalation, Acting as a user or admin without being logged in.

  • Bypassing access control checks by modifying the URL, HTML page or using a custom API attack tool.

Mitigation / Precaution

  • use a central application component to verify access control.

  • Drive all the access control decisions from a lower privileged user’s session

Related Articles