Broken Access Control is identified as the most serious web application security and is in the 1st place on the OWASP Top 10 2021 list of security vulnerabilities. 94% of applications that were tested had some form of broken access control.
Access Control or Authorisation
In a physical aspect, access control implies to giving restricted access to an individual to a building or space, for eg., badge readers give access to different areas of a building, with which a staff can access restricted rooms whereas a visitor cannot.
In a web application context, access control or authorisation is the constraints applied to the user to access its resources or perform actions. For eg., an administrator might have the rights to modify or delete any user's account, whereas an ordinary user has no access to these actions.
Broken Access Control
Broken access control allows access to resources that should only be available to those with appropriate authorisation. This security flaw can result in serious consequences such as unauthorised information disclosure, modification, or destruction of all data and damage to business reputation.
According to 2022 OWASP Top 10 report, the applications that were tested for broken access control included 34 Common Weakness Enumerations (CWEs). The most notable vulnerabilities were exposure of sensitive data to an unauthorized actor, cross-site request forgery (CSRF), and path traversal. The whole list of CWEs mapping to Broken Access control can be found on MITRE's Common Weakness Enumeration (CWE) webpage.
Example scenarios
#1
A particular website has two pages, one for viewing by user and the other by admin.
https://example-website.com/user
https://example-website.com/admin
This is a violation of access control when both pages are viewable by a non-admin. The pages of a website can be guessed easily by brute forcing with a wordlist or by viewing the robots.txt file.
Suppose the web page is tried to be concealed by giving a less predictable url.
https://example-website.com/admin_234862
Obscuring the url may not be an effective way of securing a web page as this url pathname can be possibly hardcoded in the script logic and the attacker can gain access to it by scanning through the source code in devtools.
#2
After determining the users role at login, some applications may use the role as a query string parameter to redirect them to the permitted page.
For example:
https://example-website.com/login/home.html?admin=true
https://example-website.com/login/home.html?role=1
This approach is also insecure as the attacker can easily guess and modify the query param to gain access to other user accounts or unauthorised privileges like admin access.
#3
Manipulating a JSON Web Token (JWT) access control token, or a cookie or hidden field to gain access to privileges.
Remedy
The main remedy for broken access control is that all resources not intended for public access should be denied by default. For new resources an allowlist must be implemented to introduce them.
For more detailed CWE vulnerabilities and remedies check out the resources provided below
Resources
https://owasp.org/Top10/A01_2021-Broken_Access_Control/
https://cwe.mitre.org/data/definitions/1344.html