The document discusses broken access control vulnerabilities. It defines broken access control as when a user is able to perform actions or access content they should not be authorized for. It provides examples of insecure direct object references and missing functional level access controls, which were merged into the broken access control category in OWASP 2017. The document also outlines potential impacts of broken access control and recommendations for remediation such as validating object references and authorization for all referenced objects.
2. Akansha Kesharwani
Sr. Security Consultant @ Payatu Software Labs LLP
Works on Web Application Pentesting and Mobile application Pentesting
Member @ Null Pune chapter
2
3. Introduction
Insecure Direct Object References
Missing Functional Level of Access Controls
Potential Impact
Example
Remediation
3
4. Access Control aka Authorization is how a application grant access to content and
functions to some users and not others.
As a attacker if the user is able to perform an action or access the content and
functions of some other user which the attacker should not have been authorized,
then we term it as Broken Access Control.
In OWASP 2017, Insecure Direct Object Reference and Missing Functional Level of
Access Control where merged and a new category Broken Access Control was
formed.
4
Courtesy: https://www.owasp.org/index.php/Broken_Access_Control
6. A direct object reference occurs when a developer exposes a reference to an
internal implementation object, such as a file, directory, or database key.Without
an access control check or other protection, attackers can manipulate these
references to access unauthorized data.
Occurs when developer uses HTTP parameter to refer an internal object
Ex: https://demo.com?id=1
Can access to other accounts
Ex: https://example.com/profile=123
6Courtesy: https://www.owasp.org/index.php/Top_10_2013-Top_10
7. HTTP GET parameters
Tampering reference in the URL
Ex: https://example.com?profile=123
Changing profile parameter to “456”
https://example.com?profile=456
It will give access to profile referred by “456”.
HTTP POST parameters
In the body of POST parameters.
HTTP Headers
Cookies
Languages (Accept-Language)
User-Agent
7Courtesy: https://www.owasp.org/index.php/Top_10_2013-Top_10
8. It occurs when the web application fails to verify the functional level access right
before making the functionality accessible to the user. So the user not having
proper authorization will be able to access the functionality which they do not have
right to access.
Occurs when an authorization check is missing in a particular functionality.
Ex: Admin functionality missing authorization check in a web application.
https://www.example.com/admin.jsp
https://www.example.com/phpinfo
If the user roles are not in place, then user of least privilege might be able to
access the functionality of user having highest privilege.
8
9. HTTP GET and POST parameters
Tampering reference in the URL
Ex: https://example.com?admin=false
Changing admin parameter to “true”
https://example.com?admin=true
It will give access to functionality available to admin user.
In the body of POST parameters.
HTTP Headers
Cookies
Forced Browsing
Accessing admin functionality when user is authenticated as normal user.
9
10. The potential impact of Broken Access Control greatly depends on what kind of
information or features the attacker can gain access to.
This can be anything from seemingly useless information to a full system takeover.
10
12. Avoid exposing reference of internal object to user.
Validate internal object reference at server side.
Verify authorization to all referenced objects.
The enforcement mechanism(s) should deny all access by default, requiring explicit
grants to specific roles for access to every function.
If the function is involved in a workflow, check to make sure the conditions are in the
proper state to allow access.
Disable web server directory listing and ensure file metadata (e.g. .git) and backup
files are not present within web roots.
Log access control failures, alert admins when appropriate (e.g. repeated failures).
Rate limit API and controller access to minimize the harm from automated attack
tooling.
12