Broken Access Control is a security vulnerability in web applications that occurs when access controls are not implemented or maintained correctly. Access controls are measures that determine who can access a particular resource or area, and if they are broken, unauthorized access to sensitive information or systems can occur.
One example of this vulnerability is Insecure Direct Object References (IDORs). IDORs happen when attackers can manipulate a parameter value in a web application to access resources they should not have access to. For instance, an attacker can manipulate the ID parameter to access another user's data if a web application uses numeric IDs to identify users or resources.
This vulnerability is prevalent in web applications, with an average incidence rate of 3.81%. It is one of the most common web application security vulnerabilities in the OWASP Top 10 list.
To prevent vulnerabilities related to Broken Access Control, organizations need to deploy security measures, including but not limited to input validation, authorization controls, and proper session management. Input validation ensures user input is free of malicious code or special characters that can manipulate the application. Adequate session management ensures that user sessions are secure and cannot be hijacked. Authorization controls provide that users can only access the resources they are authorized to access.
A well-designed system that considers all potential security risks is crucial. Organizations should identify all access points and resources that need to be protected and develop access control policies that define who can access those resources and under what conditions. Regular testing of access controls is also essential to ensure they function as intended.
Server-side access control is the most reliable method for preventing IDOR vulnerabilities and attacks. Web applications should rely on this approach to avoid tampering rather than client-side access controls that attackers easily bypass.
Organizations must implement security measures to prevent Broken Access Control vulnerabilities, including input validation, proper session management, and authorization controls. A well-designed system that considers all potential security risks is essential. Access validation using server-side access control is the most reliable way to prevent IDOR vulnerabilities and attacks.
Horizontal privilege escalation is a type of security vulnerability that occurs when a user or an attacker with a certain level of privilege or access gains unauthorized access to resources or functionality intended for another user with the same privilege or access level. In other words, it is when a user or an attacker can move laterally through the system and access data or functionality that they are not authorized to access.
For example, if a user with editor privileges can access and modify content meant for an administrator, that would be considered a horizontal privilege escalation. Similarly, if a user can bypass access controls and access data or functionality intended for another user at the same privilege level, that would also be considered a horizontal privilege escalation.
Horizontal privilege escalation can be a serious security threat, allowing an attacker to access sensitive data or functionality and cause a data breach. Preventing horizontal privilege escalation requires implementing proper access controls and permission checks to ensure that users can only access resources or functionality that they are authorized to access.
class BankAccount:
def __init__(self, balance):
self.balance = balance
def withdraw(self, amount):
if amount > self.balance:
print("Insufficient balance!")
else:
self.balance -= amount
print(f"Withdrawal successful. New balance: {self.balance}")
class Customer:
def __init__(self, name, balance):
self.name = name
self.account = BankAccount(balance)
def withdraw(self, amount):
self.account.withdraw(amount)
customer = Customer("John", 1000)
customer.withdraw(5000) # Vulnerability: Customer is able to withdraw more than their account balance
In the above example, the Customer class has a method withdraw() which calls the withdraw() method of the BankAccount class. However, the withdraw() method of the BankAccount class does not check if the customer is authorized to withdraw the requested amount. This allows the customer to withdraw more than their account balance, which is a vertical privilege escalation vulnerability.
To fix this vulnerability, we can add an authorization check in the BankAccount class to ensure that the customer is only able to withdraw the amount they are authorized to withdraw. Here's an updated version of the code with the vulnerability fixed:
class BankAccount:
def __init__(self, balance):
self.balance = balance
def withdraw(self, amount, authorized):
if amount > self.balance:
print("Insufficient balance!")
elif amount > authorized:
print("Not authorized to withdraw this amount!")
else:
self.balance -= amount
print(f"Withdrawal successful. New balance: {self.balance}")
class Customer:
def __init__(self, name, balance):
self.name = name
self.account = BankAccount(balance)
def withdraw(self, amount, authorized):
self.account.withdraw(amount, authorized)
customer = Customer("John", 1000)
customer.withdraw(5000, 1000) # Fix: Customer is only able to withdraw up to their authorized amount
In the fixed version, the BankAccount class now checks if the requested amount is greater than the authorized amount before processing the withdrawal request. The Customer class now passes the authorized amount along with the withdrawal request to ensure that the customer is only able to withdraw up to their authorized amount.
Prevention
Note: The the code is written for the purpose of illustration, and not for implementation.
The image used in this article was generated with the assistance of AI.