About Us
Get in Touch

Horizontal Privilege Escalation - Broken Access Control

Article
5 mins read

With an average incidence rate of 3.81%, Broken Access Control is one of the most common web application security vulnerabilities in the OWASP Top.

Broken Access Control is a security vulnerability in web applications that occurs when access controls are not implemented or maintained correctly. Access controls are measures that determine who can access a particular resource or area, and if they are broken, unauthorized access to sensitive information or systems can occur.

One example of this vulnerability is Insecure Direct Object References (IDORs). IDORs happen when attackers can manipulate a parameter value in a web application to access resources they should not have access to. For instance, an attacker can manipulate the ID parameter to access another user's data if a web application uses numeric IDs to identify users or resources.

This vulnerability is prevalent in web applications, with an average incidence rate of 3.81%. It is one of the most common web application security vulnerabilities in the OWASP Top 10 list.

To prevent vulnerabilities related to Broken Access Control, organizations need to deploy security measures, including but not limited to input validation, authorization controls, and proper session management. Input validation ensures user input is free of malicious code or special characters that can manipulate the application. Adequate session management ensures that user sessions are secure and cannot be hijacked. Authorization controls provide that users can only access the resources they are authorized to access.

A well-designed system that considers all potential security risks is crucial. Organizations should identify all access points and resources that need to be protected and develop access control policies that define who can access those resources and under what conditions. Regular testing of access controls is also essential to ensure they function as intended.

Server-side access control is the most reliable method for preventing IDOR vulnerabilities and attacks. Web applications should rely on this approach to avoid tampering rather than client-side access controls that attackers easily bypass.

Organizations must implement security measures to prevent Broken Access Control vulnerabilities, including input validation, proper session management, and authorization controls. A well-designed system that considers all potential security risks is essential. Access validation using server-side access control is the most reliable way to prevent IDOR vulnerabilities and attacks.

Horizontal privilege escalation is a type of security vulnerability that occurs when a user or an attacker with a certain level of privilege or access gains unauthorized access to resources or functionality intended for another user with the same privilege or access level. In other words, it is when a user or an attacker can move laterally through the system and access data or functionality that they are not authorized to access.

For example, if a user with editor privileges can access and modify content meant for an administrator, that would be considered a horizontal privilege escalation. Similarly, if a user can bypass access controls and access data or functionality intended for another user at the same privilege level, that would also be considered a horizontal privilege escalation.

Horizontal privilege escalation can be a serious security threat, allowing an attacker to access sensitive data or functionality and cause a data breach. Preventing horizontal privilege escalation requires implementing proper access controls and permission checks to ensure that users can only access resources or functionality that they are authorized to access.

class BankAccount:
   def __init__(self, balance):
       self.balance = balance
   
   def withdraw(self, amount):
       if amount > self.balance:
           print("Insufficient balance!")
       else:
           self.balance -= amount
           print(f"Withdrawal successful. New balance: {self.balance}")
   
class Customer:
   def __init__(self, name, balance):
       self.name = name
       self.account = BankAccount(balance)
   
   def withdraw(self, amount):
       self.account.withdraw(amount)
   
customer = Customer("John", 1000)
customer.withdraw(5000) # Vulnerability: Customer is able to withdraw more than their account balance

In the above example, the Customer class has a method withdraw() which calls the withdraw() method of the BankAccount class. However, the withdraw() method of the BankAccount class does not check if the customer is authorized to withdraw the requested amount. This allows the customer to withdraw more than their account balance, which is a vertical privilege escalation vulnerability.

To fix this vulnerability, we can add an authorization check in the BankAccount class to ensure that the customer is only able to withdraw the amount they are authorized to withdraw. Here's an updated version of the code with the vulnerability fixed:


class BankAccount:
   def __init__(self, balance):
       self.balance = balance
   
   def withdraw(self, amount, authorized):
       if amount > self.balance:
           print("Insufficient balance!")
       elif amount > authorized:
           print("Not authorized to withdraw this amount!")
       else:
           self.balance -= amount
           print(f"Withdrawal successful. New balance: {self.balance}")
   
class Customer:
   def __init__(self, name, balance):
       self.name = name
       self.account = BankAccount(balance)
   
   def withdraw(self, amount, authorized):
       self.account.withdraw(amount, authorized)
   
customer = Customer("John", 1000)
customer.withdraw(5000, 1000) # Fix: Customer is only able to withdraw up to their authorized amount

In the fixed version, the BankAccount class now checks if the requested amount is greater than the authorized amount before processing the withdrawal request. The Customer class now passes the authorized amount along with the withdrawal request to ensure that the customer is only able to withdraw up to their authorized amount.

Prevention

  • Role-based access control: Implement a role-based access control (RBAC) system to ensure that users are only granted access to the resources and functionality they are authorized to use. RBAC allows you to define different user roles and assign permissions based on those roles. You can use a Python package such as Flask-Security to implement RBAC in your application.
  • Parameterized queries: Use parameterized queries when querying the database to prevent SQL injection attacks, which could be used to escalate privileges. Parameterized queries help to prevent the user from inserting malicious code into the query, as the input is properly sanitized.
  • Input validation: Validate all input received from users to prevent attacks that could bypass security controls. Ensure that all input is properly sanitized and validated before it is used in the application.
  • Proper error handling: Implement proper handling in your application to prevent error messages that could be used to gain information about the application's internal structure or bypass security controls.
  • Access logging: Implement access logging to track user activities and identify any suspicious behavior. Access logs can be used to identify any attempts to escalate privileges and take appropriate actions to prevent them.

Note: The the code is written for the purpose of illustration, and not for implementation.

The image used in this article was generated with the assistance of AI.

Get a free consultation

Talk to our team of experts to learn more.

Get in touch
Reach out to us
Service Inquiry: hi@bizserveit.comCareer Inquiry: career@bizserveit.com
Company
About UsBlogsContactTerms of UsePrivacy Policy
Services
VAPTInformation Security AuditApplication Security TestingSwift AssessmentSecurity Awareness TrainingDevelopment Security Operations
© Biz Serve IT Pvt. Ltd.