OWASP A5 Update: Broken Access Control

Today we will cover about OWASP A5 Update: Broken Access Control in this article.

In 2017, the Open Web Application Security Project (OWASP) announced a major update to its Top Ten Web Application Security Risks list. Last updated in 2013, the OWASP list is considered an important reference document for both developers and managers. After two drafts and public comment, the final 2017 version was released in November.

Newly added in 2017, broken access control ranks fifth on OWASP’s list of web application security risks. It includes insecure direct object references (ranked fourth in 2013) and lack of functional-level access control (ranked seventh in 2013).

Also read:Vulnerability scanning with Metasploit part 1

What is broken access control?

For operational purposes, each site must grant permissions to administrators and, in some cases, users. Admins manage and edit content and users can interact as they are allowed to, such as creating an account. This feature is useful until it falls into the wrong hands; thieves can manipulate information, steal money or data, and even lock out legitimate owners.

Access control can be strong at first, but weaken as the site grows. Inconsistencies may appear when the rules are written into the new code. If different levels of access are needed or added, this can further complicate the issue.

Broken access control is very common and highly exploitable; many sites may unwittingly grant access to unauthorized visitors who simply cut and paste a supposedly secure URL into their browser.

How can I detect broken access control?

First, examine your access policy. Do you have written instructions that outline the various permissions needed, as well as a design document to help you enforce this? If not, you’re probably vulnerable.

Both code review and penetration testing are necessary to highlight the specific points where these vulnerabilities exist. You also want to understand how users and administrators access the site, often through a remote access portal. A thorough audit of granted permissions and available data is also essential.

How can I prevent a breach of access control?

Access control should be implemented and enforced through an access control matrix that will define rules for each type of user. These access points should be rigorously tested by creating different accounts and trying to access unauthorized areas.

Other recommendations include:

• Check the permissions of individual files, not just directories. Make sure that configuration files, default files, and scripts are not accessible to the public. Also restrict access to directories and executable files.
• Limit caching. Client-side caching helps speed up websites, but this information can be accessed again by others. To avoid reloading restricted pages, use http headers and meta tags.
• Do not rely on “presentation access control”. Eliminating the navigation button won’t stop hackers from getting there. Make sure every page is verified.
• Use the OWASP Zed Attack Proxy Project (ZAP). It is a free open-source security tool for finding vulnerabilities in applications.
• Limit remote management permissions as much as possible.

How is broken access control used in attacks?

Consider the following attack scenarios:

• In 2012, hackers gained access to IRS servers in South Carolina through a default administrator password and stole 3.6 million Social Security numbers.
• A website that lists its user role in the URL, eg http://web/user/account. A hacker could simply change the URL to http://website/admin/account and bypass any password or other checks.
• A brute force password attack could crack an admin panel that has a weak or default password.
• Unsecure direct object references are variables that can be manipulated by the recipient and used to retrieve additional data. For example, a user can retrieve a list of passwords or access other files using simple commands in the URL window.

How can I learn more about Secure Coding & Pentesting?

The Infosec Institute offers developers modules for secure coding through its SecurityIQ training platform, including a module for non-functional access control. These modules will help you further understand and implement OWASP recommendations.

SecurityIQ integrates security training, phishing simulations and personalized learning into one platform. It evolves with security capabilities, staff roles (including web development) and learning styles to create a personalized and engaging learning experience. You can try the training modules in SecurityIQ with a free account. Learn more here.