OWASP Top 10: Broken Access Control (A5:2017)

29th July 2020 ‧ By Simon Bell ‧ Category: Web Application Security

3 min read

This is part of my OWASP Top 10 series covering the top 10 most critical web application security risks. If you've missed any of the previous security risks, check out the intro and overview.

Risk rating

What is broken access control?

The job of an access control system is to limit a user's (or program's) access to information or functionality. An access control system would be broken if a user were able to bypass authentication and perform admin tasks.

Imagine you're at an airport. Passengers are only allowed to access certain parts of the airport. Staff will have varying levels of access to other parts of the airport, depending on their role. Access control is often enforced via locked doors requiring key-card entry. If a passenger could swipe their library card and gain access to secure areas of the airport, then the access control system has failed.

Examples of broken access control

An example of a broken access control system might be where a user can alter the URL of a web app to escalate privileges - such as accessing or changing other users' data - without authentication.

Let's say Mallory visits her online bank. The URL in her web browser's address bar might be:

https://onlinebank.com/view_account.php?customer_id=123456

But what if she changes the customer_id parameter to:

https://onlinebank.com/view_account.php?customer_id=654321

If the bank has broken access control, and the customer ID belongs to another customer (e.g. Alice), then Mallory now has access to Alice's bank account.

Another example might be that Mallory is browsing a news website:

https://newswebsite.com

Mallory then visits the following part of the news website:

https://newswebsite.com/admin

If the news website has broken access control then Mallory will have full admin privileges when she visits that URL.

What's the impact of broken access control?

The impact of broken access control will depend on which parts of the application can be accessed and with what privileges. In the worst case, broken access control could lead to a user escalating to full admin rights and compromising the system. It could also results in a user gaining access to another user's account.

Depending on what sort of data an organisation holds, the impact could be data loss, alteration, insertion, etc.

How to defend against broken access control

Access control must be enforced server-side where an attacker cannot modify the access control or metadata. The best way to manage an access control policy is to deny access to everything by default, except explicitly defined public areas.

Disable public access to directory contents, metadata (e.g. .git files), and backup files. Regular automated testing should be carried out to test the access control system and ensure it's functioning correctly.

More on OWASP Top 10

• OWASP Top 10: Intro
• OWASP Top 10: Injection (A1:2017)
• OWASP Top 10: Broken Authentication (A2:2017)
• OWASP Top 10: Sensitive Data Exposure (A3:2017)
• OWASP Top 10: XML External Entities (XXE) (A4:2017)
• OWASP Top 10: Broken Access Control (A5:2017)
• OWASP Top 10: Security Misconfiguration (A6:2017)
• OWASP Top 10: Cross-Site Scripting (XSS) (A7:2017)
• OWASP Top 10: Insecure Deserialisation (A8:2017)
• OWASP Top 10: Using Components with Known Vulnerabilities (A9:2017)
• OWASP Top 10: Insufficient Logging and Monitoring (A10: 2017)