top of page
Search

Broken Access Controls — Protect The Fortress!

  • Writer: Jen C
    Jen C
  • Oct 21
  • 1 min read

Published on Medium.com


Broken access control could be an attacker exploiting these vulnerabilities, or it could be unintended. They could be:

  • Injection flaws: untrusted input injected into an application.

  • Cross-site scripting (XSS): untrusted input is included in a web page output.

  • Broken authentication/session management: the application doesn’t validate or protect information.

  • Inadequate role-based authorization or allowing users to access functionality beyond their permission.

  • URL tampering to gain access to restricted content.

  • Missing function-level access control or not adequately limiting access to specific functions.

  • Manipulating URL parameters to access restricted areas/resources.

  • Session fixation occurs when an attacker gains unauthorized access by forcing a user to use a specific session ID.

  • Allowing unauthorized domains to access resources by way of improperly configured cross-origin resource sharing (CORS).

  • Accessing authorized data by manipulating the identifier in URLs because the application directly exposed the object identifier (IDOR-insecure direct object references).


How can we prevent/mitigate broken access control? There are several ways to prevent unauthorized individuals from “entering an area or using a resource” by following defense-in-depth and least privilege principles.


  • Follow “deny by default” unless publicly accessible.

  • Make sure there is robust user authentication and authentication mechanisms in place.

  • Validate user inputs.

  • Secure session management.

  • Minimize Cross-Origin Resource Sharing (CORS) usage by using access control in the application.

  • Access validation: an attacker attempts to tamper with an application/database, and the system catches it, checks for credentials, nope? Access not allowed.

  • Test and audit controls put in place! Regularly review and update any access control policies.

  • Conduct regular security audits.


This is just a small excerpt on Broken Access Control. Check out more at OWASP.org!https://owasp.org/Top10/A01_2021-Broken_Access_Control/

Recent Posts

See All
“OWASP A01:2021-Broken Access Control”

“Moving up from the fifth position, 94% of applications were tested for some form of broken access control with the average incidence rate of 3.81%, and has the most occurrences in the contributed dat

 
 
 

Comments

© 2021 by Jen Cracchiola. Powered by Wix

bottom of page