Blog

Coders Conquer Security: Share & Learn Series - Broken Access Control

Jaap Karan Singh
Published May 09, 2019

When you build a business application, whether for internal use or external use by your customers, you probably don't let every user perform every single function. If you do, you may be vulnerable to broken access control.

Let's take a look at what broken access control is, why it's so dangerous, and how to fix it.

Understand Broken Access Control

Broken access control occurs when application code does not have the proper security or access checks in place. It can also occur when an application is misconfigured in some way, allowing access to functions or pages to which the user should not have access.

If you handle the finances of your company, you may have access to deposit money into certain accounts or transfer money between your company's accounts. However, you shouldn't have access to withdraw cash from those accounts or transfer money to other accounts. If the proper access checks are not present, then your employees may be able to perform more functions than necessary.

These checks can either be done within the code or in configuration files. For example, there may be XML configuration files that tell the web application framework which users are allowed to access which pages. This ensures that users can only access the functions they are authorized to use.

Why Broken Access Control is Dangerous

Consider this example: An attacker has realized that your user account creation code can be manipulated, allowing the attacker to create an admin user with a simple post request. They can send a request with the username and password, and then change it en route to include the role of admin in the URL as a parameter, or in the body of the request. The attacker logs into the application and is instantly given administrator rights.

It doesn't always have to be a malicious attacker penetrating a system. Without proper access controls, sensitive information that shouldn't be shared between departments may leak out. Imagine if any employee in the company could see HR payroll data or financial data. What would happen if any employee could see that layoffs are coming because of the poor financial situation of the company? This could be damaging to your morale and your company's reputation.

Sensitive information of customers could also be lost. Companies often store personal information of customers that use their services. Be careful not to accidentally expose this because of a lack of access control. For example, if your system gives users the ability to request their health record, do they also have the ability to request and see the health information of others? If the URL contains a customer ID number, attackers could increment that customer ID number over and over again until they find one that matches another customer, thus revealing their personal data.

Defeat Broken Access Control

Role-based access control (RBAC) is a very effective tool for implementing sound access control. Those using Active Directory may be familiar with the idea of creating groups and giving access to certain items across the group, instead of to the individual. Applications work the same way, using roles to define who is allowed to see what.

This has two advantages. First, a function doesn't have to be changed when somebody leaves the administrator role. If somebody was previously an administrator and now no longer should be, then you simply place a new person into the administrator role and remove the previous person from the role. The code checks to see if the user has the administrator role instead of checking to see if each individual user has access to a certain page or function.

The second benefit is avoiding a maintenance nightmare. Access control that is so granular that every person has associations with every single possible function or page will be impossible to manage over time. Roles make things much easier, because multiple people can be added to a role. One role may include the entire company, while another may have only five people. This makes managing the roles more efficient, as there will be fewer roles to manage. A company of 10,000 people could have only 100 roles instead of 10,000 times the number of functions in your application. Research your chosen application framework to see what options exist for robust access control.

It is also critical to use function-level access control. Protect access to all functions by requiring users to pass certain access control checks. Use the principle of least privilege, denying access by default and only opening access on an as-needed basis. It can be difficult to remember to implement access control for each function. Use a central component to manage and enforce access control.

Protect Your Sensitive Functions

Broken access control can leave your data and your application wide open for attack and exploitation. Customer data that is not protected properly could lead to a massive data breach, hurting your reputation and your revenue.

Broken access control could also lead to account takeover if attackers are able to access functionality they shouldn't access. Use proper functional level access control and you'll keep your application safe from malicious attackers, and even accidental insiders.

Think you're all over functional level access? You can challenge yourself to repair broken access control now: [Start Here]

View Resource
View Resource

When you build a business application, whether for internal use or external use by your customers, you probably don't let every user perform every single function. If you do, you may be vulnerable to broken access control.

Interested in more?

Jaap Karan Singh is a Secure Coding Evangelist, Chief Singh and co-founder of Secure Code Warrior.

Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.

Book a demo
Share on:
Author
Jaap Karan Singh
Published May 09, 2019

Jaap Karan Singh is a Secure Coding Evangelist, Chief Singh and co-founder of Secure Code Warrior.

Share on:

When you build a business application, whether for internal use or external use by your customers, you probably don't let every user perform every single function. If you do, you may be vulnerable to broken access control.

Let's take a look at what broken access control is, why it's so dangerous, and how to fix it.

Understand Broken Access Control

Broken access control occurs when application code does not have the proper security or access checks in place. It can also occur when an application is misconfigured in some way, allowing access to functions or pages to which the user should not have access.

If you handle the finances of your company, you may have access to deposit money into certain accounts or transfer money between your company's accounts. However, you shouldn't have access to withdraw cash from those accounts or transfer money to other accounts. If the proper access checks are not present, then your employees may be able to perform more functions than necessary.

These checks can either be done within the code or in configuration files. For example, there may be XML configuration files that tell the web application framework which users are allowed to access which pages. This ensures that users can only access the functions they are authorized to use.

Why Broken Access Control is Dangerous

Consider this example: An attacker has realized that your user account creation code can be manipulated, allowing the attacker to create an admin user with a simple post request. They can send a request with the username and password, and then change it en route to include the role of admin in the URL as a parameter, or in the body of the request. The attacker logs into the application and is instantly given administrator rights.

It doesn't always have to be a malicious attacker penetrating a system. Without proper access controls, sensitive information that shouldn't be shared between departments may leak out. Imagine if any employee in the company could see HR payroll data or financial data. What would happen if any employee could see that layoffs are coming because of the poor financial situation of the company? This could be damaging to your morale and your company's reputation.

Sensitive information of customers could also be lost. Companies often store personal information of customers that use their services. Be careful not to accidentally expose this because of a lack of access control. For example, if your system gives users the ability to request their health record, do they also have the ability to request and see the health information of others? If the URL contains a customer ID number, attackers could increment that customer ID number over and over again until they find one that matches another customer, thus revealing their personal data.

Defeat Broken Access Control

Role-based access control (RBAC) is a very effective tool for implementing sound access control. Those using Active Directory may be familiar with the idea of creating groups and giving access to certain items across the group, instead of to the individual. Applications work the same way, using roles to define who is allowed to see what.

This has two advantages. First, a function doesn't have to be changed when somebody leaves the administrator role. If somebody was previously an administrator and now no longer should be, then you simply place a new person into the administrator role and remove the previous person from the role. The code checks to see if the user has the administrator role instead of checking to see if each individual user has access to a certain page or function.

The second benefit is avoiding a maintenance nightmare. Access control that is so granular that every person has associations with every single possible function or page will be impossible to manage over time. Roles make things much easier, because multiple people can be added to a role. One role may include the entire company, while another may have only five people. This makes managing the roles more efficient, as there will be fewer roles to manage. A company of 10,000 people could have only 100 roles instead of 10,000 times the number of functions in your application. Research your chosen application framework to see what options exist for robust access control.

It is also critical to use function-level access control. Protect access to all functions by requiring users to pass certain access control checks. Use the principle of least privilege, denying access by default and only opening access on an as-needed basis. It can be difficult to remember to implement access control for each function. Use a central component to manage and enforce access control.

Protect Your Sensitive Functions

Broken access control can leave your data and your application wide open for attack and exploitation. Customer data that is not protected properly could lead to a massive data breach, hurting your reputation and your revenue.

Broken access control could also lead to account takeover if attackers are able to access functionality they shouldn't access. Use proper functional level access control and you'll keep your application safe from malicious attackers, and even accidental insiders.

Think you're all over functional level access? You can challenge yourself to repair broken access control now: [Start Here]

View Resource
View Resource

Fill out the form below to download the report

We would like your permission to send you information on our products and/or related secure coding topics. We’ll always treat your personal details with the utmost care and will never sell them to other companies for marketing purposes.

Submit
To submit the form, please enable 'Analytics' cookies. Feel free to disable them again once you're done.

When you build a business application, whether for internal use or external use by your customers, you probably don't let every user perform every single function. If you do, you may be vulnerable to broken access control.

Let's take a look at what broken access control is, why it's so dangerous, and how to fix it.

Understand Broken Access Control

Broken access control occurs when application code does not have the proper security or access checks in place. It can also occur when an application is misconfigured in some way, allowing access to functions or pages to which the user should not have access.

If you handle the finances of your company, you may have access to deposit money into certain accounts or transfer money between your company's accounts. However, you shouldn't have access to withdraw cash from those accounts or transfer money to other accounts. If the proper access checks are not present, then your employees may be able to perform more functions than necessary.

These checks can either be done within the code or in configuration files. For example, there may be XML configuration files that tell the web application framework which users are allowed to access which pages. This ensures that users can only access the functions they are authorized to use.

Why Broken Access Control is Dangerous

Consider this example: An attacker has realized that your user account creation code can be manipulated, allowing the attacker to create an admin user with a simple post request. They can send a request with the username and password, and then change it en route to include the role of admin in the URL as a parameter, or in the body of the request. The attacker logs into the application and is instantly given administrator rights.

It doesn't always have to be a malicious attacker penetrating a system. Without proper access controls, sensitive information that shouldn't be shared between departments may leak out. Imagine if any employee in the company could see HR payroll data or financial data. What would happen if any employee could see that layoffs are coming because of the poor financial situation of the company? This could be damaging to your morale and your company's reputation.

Sensitive information of customers could also be lost. Companies often store personal information of customers that use their services. Be careful not to accidentally expose this because of a lack of access control. For example, if your system gives users the ability to request their health record, do they also have the ability to request and see the health information of others? If the URL contains a customer ID number, attackers could increment that customer ID number over and over again until they find one that matches another customer, thus revealing their personal data.

Defeat Broken Access Control

Role-based access control (RBAC) is a very effective tool for implementing sound access control. Those using Active Directory may be familiar with the idea of creating groups and giving access to certain items across the group, instead of to the individual. Applications work the same way, using roles to define who is allowed to see what.

This has two advantages. First, a function doesn't have to be changed when somebody leaves the administrator role. If somebody was previously an administrator and now no longer should be, then you simply place a new person into the administrator role and remove the previous person from the role. The code checks to see if the user has the administrator role instead of checking to see if each individual user has access to a certain page or function.

The second benefit is avoiding a maintenance nightmare. Access control that is so granular that every person has associations with every single possible function or page will be impossible to manage over time. Roles make things much easier, because multiple people can be added to a role. One role may include the entire company, while another may have only five people. This makes managing the roles more efficient, as there will be fewer roles to manage. A company of 10,000 people could have only 100 roles instead of 10,000 times the number of functions in your application. Research your chosen application framework to see what options exist for robust access control.

It is also critical to use function-level access control. Protect access to all functions by requiring users to pass certain access control checks. Use the principle of least privilege, denying access by default and only opening access on an as-needed basis. It can be difficult to remember to implement access control for each function. Use a central component to manage and enforce access control.

Protect Your Sensitive Functions

Broken access control can leave your data and your application wide open for attack and exploitation. Customer data that is not protected properly could lead to a massive data breach, hurting your reputation and your revenue.

Broken access control could also lead to account takeover if attackers are able to access functionality they shouldn't access. Use proper functional level access control and you'll keep your application safe from malicious attackers, and even accidental insiders.

Think you're all over functional level access? You can challenge yourself to repair broken access control now: [Start Here]

Access resource

Click on the link below and download the PDF of this resource.

Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.

View reportBook a demo
Download PDF
View Resource
Share on:
Interested in more?

Share on:
Author
Jaap Karan Singh
Published May 09, 2019

Jaap Karan Singh is a Secure Coding Evangelist, Chief Singh and co-founder of Secure Code Warrior.

Share on:

When you build a business application, whether for internal use or external use by your customers, you probably don't let every user perform every single function. If you do, you may be vulnerable to broken access control.

Let's take a look at what broken access control is, why it's so dangerous, and how to fix it.

Understand Broken Access Control

Broken access control occurs when application code does not have the proper security or access checks in place. It can also occur when an application is misconfigured in some way, allowing access to functions or pages to which the user should not have access.

If you handle the finances of your company, you may have access to deposit money into certain accounts or transfer money between your company's accounts. However, you shouldn't have access to withdraw cash from those accounts or transfer money to other accounts. If the proper access checks are not present, then your employees may be able to perform more functions than necessary.

These checks can either be done within the code or in configuration files. For example, there may be XML configuration files that tell the web application framework which users are allowed to access which pages. This ensures that users can only access the functions they are authorized to use.

Why Broken Access Control is Dangerous

Consider this example: An attacker has realized that your user account creation code can be manipulated, allowing the attacker to create an admin user with a simple post request. They can send a request with the username and password, and then change it en route to include the role of admin in the URL as a parameter, or in the body of the request. The attacker logs into the application and is instantly given administrator rights.

It doesn't always have to be a malicious attacker penetrating a system. Without proper access controls, sensitive information that shouldn't be shared between departments may leak out. Imagine if any employee in the company could see HR payroll data or financial data. What would happen if any employee could see that layoffs are coming because of the poor financial situation of the company? This could be damaging to your morale and your company's reputation.

Sensitive information of customers could also be lost. Companies often store personal information of customers that use their services. Be careful not to accidentally expose this because of a lack of access control. For example, if your system gives users the ability to request their health record, do they also have the ability to request and see the health information of others? If the URL contains a customer ID number, attackers could increment that customer ID number over and over again until they find one that matches another customer, thus revealing their personal data.

Defeat Broken Access Control

Role-based access control (RBAC) is a very effective tool for implementing sound access control. Those using Active Directory may be familiar with the idea of creating groups and giving access to certain items across the group, instead of to the individual. Applications work the same way, using roles to define who is allowed to see what.

This has two advantages. First, a function doesn't have to be changed when somebody leaves the administrator role. If somebody was previously an administrator and now no longer should be, then you simply place a new person into the administrator role and remove the previous person from the role. The code checks to see if the user has the administrator role instead of checking to see if each individual user has access to a certain page or function.

The second benefit is avoiding a maintenance nightmare. Access control that is so granular that every person has associations with every single possible function or page will be impossible to manage over time. Roles make things much easier, because multiple people can be added to a role. One role may include the entire company, while another may have only five people. This makes managing the roles more efficient, as there will be fewer roles to manage. A company of 10,000 people could have only 100 roles instead of 10,000 times the number of functions in your application. Research your chosen application framework to see what options exist for robust access control.

It is also critical to use function-level access control. Protect access to all functions by requiring users to pass certain access control checks. Use the principle of least privilege, denying access by default and only opening access on an as-needed basis. It can be difficult to remember to implement access control for each function. Use a central component to manage and enforce access control.

Protect Your Sensitive Functions

Broken access control can leave your data and your application wide open for attack and exploitation. Customer data that is not protected properly could lead to a massive data breach, hurting your reputation and your revenue.

Broken access control could also lead to account takeover if attackers are able to access functionality they shouldn't access. Use proper functional level access control and you'll keep your application safe from malicious attackers, and even accidental insiders.

Think you're all over functional level access? You can challenge yourself to repair broken access control now: [Start Here]

Table of contents

Download PDF
View Resource
Interested in more?

Jaap Karan Singh is a Secure Coding Evangelist, Chief Singh and co-founder of Secure Code Warrior.

Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.

Book a demoDownload
Share on:
Resource hub

Resources to get you started

More posts
Resource hub

Resources to get you started

More posts