security | privacy | web dev

OWASP Top 10: Broken Access Control (A5:2017)

29th July 2020 ‧ By Simon Bell ‧ Category: Web Application Security

3 min read

Picture of red and white tape sealing of an area (to represent access control)

Photo by Markus Spiske

This is part of my OWASP Top 10 series covering the top 10 most critical web application security risks. If you've missed any of the previous security risks, check out the intro and overview.

Risk rating

Exploitability: 2
Prevalence: 2
Detectability: 2
Technical: 3
Threat Agents
Exploitability
Weakness Prevalence
Weakness Detectability
Technical Impacts
Business Impacts
Application Specific
Easy: 3
Widespread: 3
Easy: 3
Severe: 3
Business Specific
Average: 2
Common: 2
Average: 2
Moderate: 2
Difficult: 1
Uncommon: 1
Difficult: 1
Minor: 1
OWASP's Risk Rating Methodology

What is broken access control?

The job of an access control system is to limit a user's (or program's) access to information or functionality. An access control system would be broken if a user were able to bypass authentication and perform admin tasks.

Imagine you're at an airport. Passengers are only allowed to access certain parts of the airport. Staff will have varying levels of access to other parts of the airport, depending on their role. Access control is often enforced via locked doors requiring key-card entry. If a passenger could swipe their library card and gain access to secure areas of the airport, then the access control system has failed.

Examples of broken access control

An example of a broken access control system might be where a user can alter the URL of a web app to escalate privileges - such as accessing or changing other users' data - without authentication.

Let's say Mallory visits her online bank. The URL in her web browser's address bar might be:

https://onlinebank.com/view_account.php?customer_id=123456

But what if she changes the customer_id parameter to:

https://onlinebank.com/view_account.php?customer_id=654321

If the bank has broken access control, and the customer ID belongs to another customer (e.g. Alice), then Mallory now has access to Alice's bank account.

Another example might be that Mallory is browsing a news website:

https://newswebsite.com

Mallory then visits the following part of the news website:

https://newswebsite.com/admin

If the news website has broken access control then Mallory will have full admin privileges when she visits that URL.

What's the impact of broken access control?

The impact of broken access control will depend on which parts of the application can be accessed and with what privileges. In the worst case, broken access control could lead to a user escalating to full admin rights and compromising the system. It could also results in a user gaining access to another user's account.

Depending on what sort of data an organisation holds, the impact could be data loss, alteration, insertion, etc.

How to defend against broken access control

Access control must be enforced server-side where an attacker cannot modify the access control or metadata. The best way to manage an access control policy is to deny access to everything by default, except explicitly defined public areas.

Disable public access to directory contents, metadata (e.g. .git files), and backup files. Regular automated testing should be carried out to test the access control system and ensure it's functioning correctly.

More on OWASP Top 10

Picture of simon bell

Simon Bell

I'm a Web Security Consultant, Full-Stack Secure Web Developer, Researcher, Writer, and Educator. I recently passed my Cyber Security PhD viva (subject to amendments) and I have a BSc in Computer Science.

This website is where I enjoy writing about security, privacy, and web development.

Connect with me at: SJBell.com

Join the Key Threat Community

Every week I share:

  • A roundup of important cybersecurity news stories
  • Summary of popular cybersecurity content from Twitter
  • The latest security, privacy, and web info from Key Threat
Up arrow Back to top