With most of the vulnerabilities we have explored so far, we have taken the time to learn about the feature being exploited. This article will be no different as we take a look at broken access control.
What is access control?
Access control is an authentication and authorisation task that determines if individuals can access, see, and use information. Access control’s goal is to guarantee that users are who they say they are and have permission to access company data.
Access control sets the rules for critical queries such as who can access your company’s information and data and whether the person attempting to access it can access it. Access control also governs when to deny access to a person with access privileges.
What is broken access control?
Broken access control occurs when people are allowed to access data that is not for them.
OWASP: Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access to other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc.
Let’s take a look at two scenarios of how access control can be broken:
Scenario 1: The attacker logs into their banking app by entering their account details. When the attacker accesses their account, they observe the browser making a web server request for the account number and transaction history. The attacker then modifies the server request by altering the account ID, which results in the server responding with another user’s account details.
Scenario 2: Expanding further on the previous scenario, the attacker reviews the app’s code and notices that comments stating that customer support agents can search the database of customers. The attacker creates a database request based on those comments, and the app responds with a list of customer account numbers.
Find broken access control vulnerabilities with pen testing
For access control to be effective, it needs to be introduced, continually monitored, and regularly reviewed and tested.
You can find and test for access control vulnerabilities by submitting your web application for penetration testing with OmniCyber. Our reports will help you resolve various vulnerabilities, such as broken authentication, security misconfiguration, and insufficient logging and monitoring before an attacker has the chance to interfere.
Contact us to learn more about our pen testing services.