Why Common Vulnerability Scoring Systems (CVSS) Suck
Learn how to effectively understand and weight a vulnerability's severity, and how to use CVSS with other scoring systems for best accuracy.
Learn about what causes broken access controls, the risks and impacts and how to prevent these vulnerabilities.
TL;DR:
Access controls are the process of controlling and monitoring user and application access to resources. This is commonly included under the security domain of Identity and Access Management (IAM). This domain includes four main elements: 1) Identification 2) Authentication 3) Authorization 4) Accountability. All four of these elements work together to ensure that all company resources are only accessed by people who should have access to them, for as long as they should have access and it mandates that user action be monitored to ensure accountability for all users for the actions they perform. One of the biggest vulnerabilities that a company or application can have is the risk of broken access control. One of the most critical vulnerabilities that a company or application can face is the risk of broken access control. In this article, we will break down why this is a huge risk and what can be done to prevent it.
Broken access control can allow attackers an easy pathway to accessing and ultimately attacking company resources. When you think of broken access control, envision having a broken lock on one of the doors of your home. Anyone who tries to go through that door will be allowed to enter. This is a very insecure state and to a lesser extent that’s how it is with broken access control. Access control acts similarly to a lock and key where only users that should have access must be given a key. If you give keys to the wrong people or worse the lock isn’t working correctly, people who should not have access will be able to access the resource.
In recent years broken access control has proven itself to be one of the most prominent vulnerabilities in web applications. In 2021, the OWASP Top 10 list moved broken access control from the fifth position to first on the list of top vulnerabilities in web applications. According to OWASP, 94% of applications were found to have some form of broken access control, with an average incidence rate of 3.81%. Let’s look at some of the reasons why broken access control is on the rise:
Increase in applications: In the last 10-20 years the amount of digital adoption around web and mobile applications has been huge. Customers now expect most businesses to offer services online rather than solely online. Also, digital expectations were significantly heightened throughout the pandemic, and the application development rush has not subsided since. The more applications there are, the more attack surfaces present themselves.
Increased integration between applications: Applications are becoming more interconnected than ever, and managing exactly what is allowed to talk to can become very complex. This can be due to the number of devices admins must manage as well as the methods used to connect the devices. Some devices are built to work well together while others require a more complex solution. Bigger applications also present a larger attack surface with more domains, directories, integrations, functionality etc.
Insufficient training on secure coding: Many developers simply don’t have a lot of training in creating secure code. As a result, many applications may have access control implementations that are not effective or that are missing altogether. This creates security gaps that allow users to escalate their privileges and gain access that they shouldn't have. If an organization doesn’t have a strong DevSecOps culture, allowing inexperienced developers to set security policies is a recipe for failure.
Multiple IAM Solutions: When trying to integrate a pre-existing identity platform into a new product, the complexity rises as you now need to manage legacy users from the old platform as well as new users. Using a hybrid of identity management solutions in any scenario can lead to oversights in proper access control.
Now that we’ve talked about broken access control, let’s look at what proper access control should look like. If an attacker tries to tamper with an application or database by modifying a request to the system, the system should have proper protections in place to recognize an invalid request. Two common examples of this would be SQL injections and cross-site scripting attacks. SQL injections submitted modified SQL statements in an attempt to extract information from the backend database or modify the database itself. To defend against this type of attack proper input validation should detect invalid requests like this and not allow it to execute.
Secondly, the system should have function-level access control to verify whether the user is authorized to perform their desired action. For example, if someone is on a user account they should not be able to perform admin actions or raise their privileges to become an admin. In particular, web applications need to rely on server-side access control rather than client-side so that adversaries cannot tamper with it. The application should perform checks at multiple levels, including the data or object, to ensure there are no holes in the process. This includes authorization to make a request as well as authorization to access a particular object in that request.
Thirdly, businesses must constantly review their access control processes and procedures. You should take time to thoroughly review the authorization logic of chosen tools and technology and implement custom logic when necessary. You should also formally test all configurations to make sure there are no workarounds. Additionally, you should do access reviews for employees/contractors within your organization to make sure that no one has additional access above what is needed for their job. All static company resources should be formally authorized and incorporated into access control policies.
Lastly, when it comes to the function of the application you need to make sure that it is designed correctly. You should forbid access when an authorization check fails, this is part of the principle of “fail-safe”. If an access request or an operation fails then the application should fail in a state that allows it to remain secure. To ensure this you should perform unit and integration testing of authorization logic to make sure it is sound and not easily circumvented.
Access control is simply the process of restricting user access to company resources/assets. Broken access control is when there are ineffective or missing access controls which allow users to access resources they shouldn’t have access to. Broken access control is one of the most common and most dangerous types of vulnerabilities for an organization. Organizations must be vigilant in mitigating the risk of broken access control to safeguard their assets and data. Broken access control can affect companies severely by hurting them financially as well as damaging their reputation and business relationships. To prevent broken access control it’s important to implement and validate that your access controls are working properly continuously.
Security
Can be easily manipulated without detection if not properly secured.
Digitally signed and can be validated on the server. Manipulation can be detected.
Size
Limited to 4KB.
Can contain much more data, up to 8KB.
Dependency
Often used for session data on the server-side. The server needs to store the session map.
Contains all the necessary information in the token. Doesn’t need to store data on the server.
Storage Location
Browser cookie jar.
Local storage or client-side cookie.
No testing strategy is one-size-fits-all. Pentesting in a production environment can provide advantages, though it does come with many risks.
Providing the quality of the biggest names in security without the price tag and complications.
Manual penetration testing
Full time Canadian hackers
Remediation support