The New King “Broken Access Control”

4 months ago 24

The King (Injection Bug) who was ruling the bug world for more than a decade is now conquered by the New King known as “Broken Access Control”.

Let’s keep it simple about the New King!

What is Access Control?
Access control enforces policy such that users cannot act outside of their intended permissions.

What is a Broken Access Control vulnerability?
Failures of Access Control policy typically lead to unauthorized information disclosure, modification, or destruction of all data or performing a business function outside the user’s limits.

Broken Access Control issue revolves around the 3 basic things:
1. Authentication: Who are you? (Verifies the user identities)
2. Authorization: What are you allowed to do? (Determines the user permissions)
3. Session Management: Sequence of network HTTP request and response transactions associated with the same user.

Access Control types:
Horizontal Access Control
: A banking application will allow a user to view transactions and make payments from their accounts, but not the accounts of any other user.
Vertical Access Control: an administrator might be able to modify or delete any user’s account, while an ordinary user has no access to these actions.

Broken access Control typically contains several types of attacks included:
1. Bypassing access control checks by modifying the URL or tampering the URL.
2. IDOR (Real World Scenario)
3. Privilege Escalation (For ex: Acting as an admin when logged in as a user).
4. Tampering JSON web token or manipulating cookie field to elevate privilege.
5. CORS Misconfiguration.
6. Force browsing to authenticated page as an unauthenticated user.

Force Browsing scenario:
An attacker simply entering the target URLs like below:

Common Attack:
1. Access to admin pages.
2. Directory Traversal
3. Local File Inclusion
4. Remote File Inclusion.

Attackers act as users or administrators, or users using privileged functions or creating, accessing, updating, or deleting every record.

Mitigation Factor:
1. Don’t rely only on obfuscation.
2. Minimize CORS usage.
3. Rate Limit API
4. JWT tokens should be invalidated on the server after logout.

This is my First Medium Blog…Hope I didn’t disappoint much. Thank you!

4. And few researchers blog…

Read Entire Article