OWASP Top 10 part 1: Broken Access Control

21 October 2024 6 minutes Author: Lady Liberty

Access control violations are situations where users gain access to resources or functions for which they do not have the appropriate rights. This can happen for several reasons:


Access control violated

1. Lack of authentication

  • Description: When the system does not verify the user’s identity before providing access to sensitive data or functions.

  • Example: A web application allows users to view information about other accounts without having to log in. For example, a user can view personal data of others without authorization.

2. Lack of authorization

  • Description: After a user is authenticated, the system does not verify that they are authorized to access specific resources or functions.

  • Example: An ordinary user can access the administrative panel or change data that should be accessible only to administrators. For example, an ordinary user can delete other users’ posts.

3. 403 Forbidden vs. 404 Not Found

  • Description: Code 403 means that access to the resource is denied, while code 404 indicates that the resource was not found. Improper use of status codes can reveal information about the structure of the application.

  • Example: If the system returns a 404 when trying to access the administrative section of a web application, this may indicate that such a section exists, but access to it is blocked.

Instead, code 403 clearly signals that access is denied.

4. Sensitive data in unsafe settings

  • Description: Inclusion of sensitive data in URLs or request parameters that may be visible or accessible to attackers.

  • Example: Passing user IDs or access tokens to a URL that may be stored in server logs or browser history. For example, a URL like https://example.com/profile?user_id=1234 allows you to change the user_id and access a different profile.

5. Forged Cross-Site Requests (CSRF)

  • Description: Attacks in which an attacker tricks a user who is already authenticated into a web application into performing an unwanted action.

  • Example: An attacker can create a fake web page containing a password change form on a site where the user is already authenticated. If the user opens this page, a password change request will automatically be sent to the real site, changing their password without their knowledge.

Authentication

BLUE TEAM

Authentication is the process of confirming a user’s identity. The most common example is when a user enters their identifier, such as an email, along with a password. When a request is sent to a protected zone, the firewall gets the opportunity to extract the user’s personal data from the Request object. Next, the system generates a token that includes the authentication manager. This manager validates the token and, if the information provided is as expected, issues a validated token. After that, this token is stored in a special storage for future use.

An example of symfony authentication

RED TEAM

Brute force

The attack becomes possible when authentication is missing or not strong enough, which allows attackers to use an iterative method to select passwords, iterating through all possible options until the correct one is found. In the context of Symfony, a brute force attack consists of trying to break into the protected parts of a site or application by choosing the right combination of logins and passwords. Such attacks typically target the standard authentication mechanisms that Symfony implements through the Security Bundle.

A practical example in python

This script systematically iterates through different passwords from the list until the correct one is found. The attack is effective in cases where there is no limit on the number of attempts or the account is not blocked after several unsuccessful attempts.

Apply brute force tools: Tools like Hydra, Burp Suite or OWASP ZAP can automate this process, greatly increasing the effectiveness of the attack.

Authorization (Can I do this?)

BLUE TEAM

Authorization is the process of verifying rights to access or modify resources.

Authorization in a nutshell

RED TEAM

IDOR – Insecure Direct Object References. Lack of access rights validation can allow attackers to gain access to resources simply by changing the identifiers in the URL.

By changing the identifier in the URL, an attacker can gain access to another user’s data if proper access rights are not checked.

 403   Forbidden vs 404 Not Found

  • Forbidden – The 403 Forbidden status code indicates that the server understood the request, but refuses to fulfill it due to a lack of necessary permissions.

  • Not Found – The 404 Not Found status code indicates that the requested resource was not found on the server. This could be the result of an incorrect URL or a missing file on the server.

BLUE TEAM

403 Forbidden
404 Not Found

If you do not want the user to know about the existence of a certain resource, you should use a 404 (Not Found) response. If you need to clearly show that the resource exists, but access to it is limited, it is better to use the 403 (Forbidden) code.

RED TEAM

Resource Enumeration. Attackers can use the difference between 403 and 404 responses to determine whether a resource exists, even if they don’t have access to it.

A practical attack example (Python)

This script checks for resource availability by analyzing server responses. If the resource exists, but access is denied, a 403 code is returned, and if it does not exist, a 404 code is returned.

Sensitive data in insecure parameters

Sensitive Data in Insecure Parameters is a situation where sensitive information such as passwords, tokens, or personal data is transmitted through request parameters or other insecure mechanisms. This poses a threat because insufficient protection of such data can lead to its leakage or compromise.

BLUE TEAM

Example in Symfony
JWT example

RED TEAM

Insecure Parameter Exploitation. Attackers can manipulate unsafe settings to gain access to sensitive information or gain elevated access rights.

A practical attack example (Python)

This script uses unsafe parameters such as can_edit and is_admin to gain access to functions that should be protected.

Cross-Site Request Forgery (CSRF)

  1. Cookies are automatically sent to the site with each request.

  2. The attacker can force the victim to send requests (including POST) to some site.

  3. When this happens, the victim’s cookies (including authentication cookies) are sent to the server.

BLUE TEAM

Use of CSRF tokens. They are stored in user sessions and added to forms as a hidden field. When the user submits the form, the token is validated. If it doesn’t match what’s in the session, the user gets an error.

An example of using CSRF tokens in Yii2

RED TEAM

Using CSRF to modify data. Attackers can force a victim to send a request to a server using their credentials to perform unwanted actions.

A practical attack example (HTML)

This code forces the victim to transfer funds to the attacker’s account using their session and cookies without them even knowing it.

Other related articles
Found an error?
If you find an error, take a screenshot and send it to the bot.