Secure Code Warrior

Coders Conquer Security: Share & Learn Series - Broken Access Control

When you build a business application, whether for internal use or external use by your customers, you probably don't let every user perform every single function. If you do, you may be vulnerable to broken access control.

When you build a business application, whether for internal use or external use by your customers, you probably don't let every user perform every single function. If you do, you may be vulnerable to broken access control.

Let's take a look at what broken access control is, why it's so dangerous, and how to fix it.

Understand Broken Access Control

Broken access control occurs when application code does not have the proper security or access checks in place. It can also occur when an application is misconfigured in some way, allowing access to functions or pages to which the user should not have access.

If you handle the finances of your company, you may have access to deposit money into certain accounts or transfer money between your company's accounts. However, you shouldn't have access to withdraw cash from those accounts or transfer money to other accounts. If the proper access checks are not present, then your employees may be able to perform more functions than necessary.

These checks can either be done within the code or in configuration files. For example, there may be XML configuration files that tell the web application framework which users are allowed to access which pages. This ensures that users can only access the functions they are authorized to use.

Why Broken Access Control is Dangerous

Consider this example: An attacker has realized that your user account creation code can be manipulated, allowing the attacker to create an admin user with a simple post request. They can send a request with the username and password, and then change it en route to include the role of admin in the URL as a parameter, or in the body of the request. The attacker logs into the application and is instantly given administrator rights.

It doesn't always have to be a malicious attacker penetrating a system. Without proper access controls, sensitive information that shouldn't be shared between departments may leak out. Imagine if any employee in the company could see HR payroll data or financial data. What would happen if any employee could see that layoffs are coming because of the poor financial situation of the company? This could be damaging to your morale and your company's reputation.

Sensitive information of customers could also be lost. Companies often store personal information of customers that use their services. Be careful not to accidentally expose this because of a lack of access control. For example, if your system gives users the ability to request their health record, do they also have the ability to request and see the health information of others? If the URL contains a customer ID number, attackers could increment that customer ID number over and over again until they find one that matches another customer, thus revealing their personal data.

Defeat Broken Access Control

Role-based access control (RBAC) is a very effective tool for implementing sound access control. Those using Active Directory may be familiar with the idea of creating groups and giving access to certain items across the group, instead of to the individual. Applications work the same way, using roles to define who is allowed to see what.

This has two advantages. First, a function doesn't have to be changed when somebody leaves the administrator role. If somebody was previously an administrator and now no longer should be, then you simply place a new person into the administrator role and remove the previous person from the role. The code checks to see if the user has the administrator role instead of checking to see if each individual user has access to a certain page or function.

The second benefit is avoiding a maintenance nightmare. Access control that is so granular that every person has associations with every single possible function or page will be impossible to manage over time. Roles make things much easier, because multiple people can be added to a role. One role may include the entire company, while another may have only five people. This makes managing the roles more efficient, as there will be fewer roles to manage. A company of 10,000 people could have only 100 roles instead of 10,000 times the number of functions in your application. Research your chosen application framework to see what options exist for robust access control.

It is also critical to use function-level access control. Protect access to all functions by requiring users to pass certain access control checks. Use the principle of least privilege, denying access by default and only opening access on an as-needed basis. It can be difficult to remember to implement access control for each function. Use a central component to manage and enforce access control.

Protect Your Sensitive Functions

Broken access control can leave your data and your application wide open for attack and exploitation. Customer data that is not protected properly could lead to a massive data breach, hurting your reputation and your revenue.

Broken access control could also lead to account takeover if attackers are able to access functionality they shouldn't access. Use proper functional level access control and you'll keep your application safe from malicious attackers, and even accidental insiders.

Think you're all over functional level access? You can challenge yourself to repair broken access control now: [Start Here]