Broken Access Control — OWASP A01:2021

1. Broken Access Control

Explanation:

Broken Access Control refers to security vulnerabilities where an attacker can bypass authorization to perform actions or access resources they are not supposed to. Simply put, the application fails to enforce the user's intended permissions.

Access control determines what an authenticated user is allowed to do. When broken, attackers can act as higher-privileged users or access other users’ private data.

Types and Examples

• 1. Insecure Direct Object Reference (IDOR)

  Occurs when an internal object (file, ID, database key) is exposed and manipulable by attackers.

  Example: A user views their bank statement at https://example.com/api/get_statement?id=1001. Changing the ID to 1002 exposes another customer’s statement.

• 2. Vertical Privilege Escalation

  A user gains access to functionality or data restricted to higher privilege levels (admin, manager).

  Example: A standard user accesses /admin/delete_user due to missing server-side role checks.

• 3. Horizontal Privilege Escalation

  A user accesses resources belonging to another user of the same privilege level.

  Example: Modifying an API request to change the user ID in a profile update endpoint to another user's ID successfully updates their information.

• 4. Bypassing Access Checks

  Attackers circumvent access control via:

  • URL/Parameter Tampering: Changing hidden fields, cookies, or query strings to elevate privileges.
  • Force Browsing: Directly accessing restricted pages like /admin without proper redirects.
  • Missing API Access Controls: Public API endpoints performing sensitive actions without role validation.

Key Prevention Strategies

• Deny-by-Default Policy: Deny access to all resources unless explicitly allowed for roles or users.
• Principle of Least Privilege (PoLP): Grant users only the minimum necessary access to perform their tasks.
• Centralize Access Control Logic: Reuse validation code across the application to avoid missing checks.
• Use Indirect Object References: Avoid exposing internal IDs; use non-predictable tokens for resources.
• Validate User Roles and Ownership:
  • User is authenticated.
  • User is authorized or is the resource owner.