LEFT SIDEBAR AD

Hidden in mobile, Best for skyscrapers.

The New King “Broken Access Control”

2 years ago 116
BOOK THIS SPACE FOR AD
ARTICLE AD

The King (Injection Bug) who was ruling the bug world for more than a decade is now conquered by the New King known as “Broken Access Control”.

Let’s keep it simple about the New King!

What is Access Control?
Access control enforces policy such that users cannot act outside of their intended permissions.

What is a Broken Access Control vulnerability?
Failures of Access Control policy typically lead to unauthorized information disclosure, modification, or destruction of all data or performing a business function outside the user’s limits.

Broken Access Control issue revolves around the 3 basic things:
1. Authentication: Who are you? (Verifies the user identities)
2. Authorization: What are you allowed to do? (Determines the user permissions)
3. Session Management: Sequence of network HTTP request and response transactions associated with the same user.

Access Control types:
Horizontal Access Control: A banking application will allow a user to view transactions and make payments from their accounts, but not the accounts of any other user.
Vertical Access Control: an administrator might be able to modify or delete any user’s account, while an ordinary user has no access to these actions.

Broken access Control typically contains several types of attacks included:
1. Bypassing access control checks by modifying the URL or tampering the URL.
2. IDOR (Real World Scenario)
3. Privilege Escalation (For ex: Acting as an admin when logged in as a user).
4. Tampering JSON web token or manipulating cookie field to elevate privilege.
5. CORS Misconfiguration.
6. Force browsing to authenticated page as an unauthenticated user.

Example:
Force Browsing scenario:
An attacker simply entering the target URLs like below:
https://attacker.com/app/getappInfo
https://attacker.com/app/admin_getappInfo

Common Attack:
1. Access to admin pages.
2. Directory Traversal
3. Local File Inclusion
4. Remote File Inclusion.

Impact:
Attackers act as users or administrators, or users using privileged functions or creating, accessing, updating, or deleting every record.

Mitigation Factor:
1. Don’t rely only on obfuscation.
2. Minimize CORS usage.
3. Rate Limit API
4. JWT tokens should be invalidated on the server after logout.

This is my First Medium Blog…Hope I didn’t disappoint much. Thank you!

References:
1.https://owasp.org/Top10/A01_2021-Broken_Access_Control/
2.https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html
3.https://owasp.org/www-community/Broken_Access_Control
4. And few researchers blog…

Read Entire Article
  3. The New King “Broken Access Control”

Related

How to baypass scaping filter(\)

How to baypass scaping filter(\)

How We Prevented a Mass Breach On One OF The Biggest CryptoCurrency Gateways On A Web3 Platform.

How We Prevented a Mass Breach On One OF The Biggest CryptoCurrency Gateways On A Web3 Platform.

The Ultimate Guide to CISSP’s Eight Security Territories

The Ultimate Guide to CISSP’s Eight Security Territories

Unraveling the Nuances of 403 Bypass: Strengthening Web Application Security

Unraveling the Nuances of 403 Bypass: Strengthening Web Application Security

Private Interact.sh server setup with a web dashboard

Private Interact.sh server setup with a web dashboard

Found Multiple Bugs :: XSS, MITM, Sec-MisConf :: In an Educational Site

Found Multiple Bugs :: XSS, MITM, Sec-MisConf :: In an Educational Site

Trending

1. Gurucharan Singh
2. Delhi Arvind Kejriwal
3. Rathnam Movie Review
4. Tech Mahindra
5. NBSE Result 2024
6. Tejasvi Surya
7. HUDCO share price
8. Bajaj Finance share price
9. Laapataa Ladies
10. Yodha

Popular

1-click RCE in Electron Applications

1-click RCE in Electron Applications

Install waybackurls on Kali Linux

Install waybackurls on Kali Linux

Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys

Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys

Microsoft Office Professional Plus 2019 (x64 & x86) Multilingual + Pre-Activated

Microsoft Office Professional Plus 2019 (x64 & x86) Multilingual + Pre-Activated

Install DalFox on Kali Linux

Install DalFox on Kali Linux

Adobe Master Collection CC 2022 v25.08.2022 (x64) Multilingual Pre-Activated

Adobe Master Collection CC 2022 v25.08.2022 (x64) Multilingual Pre-Activated

‘We are not motivated by profits’ – Open Bug Bounty maintainers on finding a niche in the crowdsourced AppSec market

‘We are not motivated by profits’ – Open Bug Bounty maintainers on finding a niche in the crowdsourced AppSec market

Maxon CINEMA 4D Studio S22.123 (x64) Multilingual + Crack

Maxon CINEMA 4D Studio S22.123 (x64) Multilingual + Crack

Just Gopher It: Escalating a Blind SSRF to RCE for $15k

Just Gopher It: Escalating a Blind SSRF to RCE for $15k

SketchUp Pro 2020 v20.2.172 (x64) Multilingual + Patch

SketchUp Pro 2020 v20.2.172 (x64) Multilingual + Patch

BOOK THIS SPACE FOR AD
RIGHT SIDEBAR BOTTOM AD
Bengali (Bangladesh) Bengali (Bangladesh) · English (United States) English (United States) ·
About Us · Terms & Condition · Contact Us
© Security Alert 2024. All rights are reserved