Broken Access Control occurs when an application fails to properly enforce restrictions on what authenticated users are allowed to do. Attackers can exploit these flaws to perform unauthorized actions, access sensitive data, or escalate privileges. This issue arises when access control mechanisms are improperly implemented or missing altogether.
Manual Testing Strategies
A lower-privilege user accesses features or data intended only for higher-privilege users (e.g., an attacker gaining admin privileges).
- A regular user manipulates their user role (e.g.,
role=user to role=admin) in a request and gains access to administrative functions.
A user accesses resources or data belonging to another user with the same privilege level.
- User A accesses User B’s account by modifying a request parameter like
user_id=123 to user_id=124.
APIs that do not properly enforce access controls may allow attackers to:
- Access sensitive data.
- Perform unauthorized actions.
- An attacker exploits an API endpoint that allows unrestricted access to database records (e.g.,
/api/v1/users returns all user data).
A user accesses objects (files, records, URLs) directly by manipulating references like IDs in a request, bypassing authorization checks.
- Accessing
/invoice/123 without authorization checks allows a user to view or edit another user’s invoice.
Default or overly permissive policies can leave sensitive resources exposed.
- Default admin accounts with no password or hardcoded credentials.
- Unauthorized access to sensitive data (e.g., personal information, financial records).
- Compromised application functionality (e.g., executing admin-level operations).
- Business losses from data breaches, compliance violations, or reputational damage.
- Test different roles (e.g., user, admin) and manipulate requests to verify access restrictions.
- Check for URL parameter tampering, session fixation, and forced browsing.
- Use tools like Burp Suite or OWASP ZAP to test for access control flaws.
- Employ Dynamic Application Security Testing (DAST) tools to simulate attack scenarios.
¶ Prevention and Mitigation Strategies
- Limit user permissions to only what is necessary for their role.
- Use a deny-by-default approach, explicitly granting access only where needed.
### 2. **Implement Role-Based Access Control (RBAC)**
- Define roles and permissions clearly (e.g., user, moderator, admin).
- Ensure role changes and assignments are validated.
- Perform access control checks on the server rather than relying on client-side controls.
- Validate every request to confirm the user’s permissions before granting access.
- Use indirect references (e.g., UUIDs) for sensitive objects instead of predictable IDs.
- Implement authorization checks before processing these references.
- Use authentication and authorization layers for all API endpoints.
- Validate user input and implement rate-limiting to prevent abuse.
¶ 6. Audit and Monitor Access Logs
- Track and review access attempts for unauthorized actions.
- Implement alerts for suspicious activity, such as repeated failed access attempts.
In 2019, a broken access control vulnerability allowed attackers to scrape user data by exploiting Facebook’s “View As” feature. The flaw bypassed access control checks, exposing millions of user profiles.
- Attackers manipulated the feature to impersonate users and gain access to their accounts.
- Properly validate user permissions for every feature.
- Regularly test features for unintended privilege escalation.
- Burp Suite: For request manipulation and testing access controls.
- OWASP ZAP: Open-source tool for scanning and detecting access control vulnerabilities.
- Implement systems like OAuth 2.0 for secure role management.
- Use identity and access management (IAM) platforms like AWS IAM or Okta.
- Perform manual and automated code reviews focusing on:
- Role-based access control (RBAC) implementations.
- Parameter handling and validation.
-
Authentication & Authorization
- Ensure all endpoints require proper authentication.
- Validate roles and permissions for each request.
-
Input Validation
- Sanitize and validate user inputs, especially in URL parameters.
-
Session Management
- Use secure session cookies with expiration and invalidation on logout.
-
Testing
- Conduct regular penetration testing and vulnerability scans.
-
Monitoring
- Enable logging for access attempts and monitor anomalies in real-time.