Preventing Broken Access Control Vulnerabilities in Web Applications

Understanding Broken Access Control 

Access control is crucial for modern web development as it enables the management of how users, processes, and devices should be granted permissions to application functions and resources. Access control mechanisms also determine the level of access permitted and manifest activities carried out by specific entities. Broken access control vulnerabilities arise when a malicious user abuses the constraints on the actions they are allowed to perform or the objects they can access. Attackers typically leverage access control failures to gain unauthorized access to resources within the web application, run malicious commands, or gain a privileged user‘s permission.

This blog discusses broken access control vulnerabilities and common prevention techniques to better secure your web applications.

Access control issues enable unauthorized users to access, modify, and delete resources or perform actions that exceed their intended permissions. Broken access control encompasses various security vulnerabilities typically exploited to elevate privilege levels. Developing secure and effective access control schemes is often a complex undertaking that spans multiple application functions that were not designed deliberately but have evolved with the application. It’s easy to overlook how entities access resources when implementing these schemes, resulting in hidden authorization flaws. Such control flaws are typically easy to discover and exploit, making them a popular target for common attacks.

Types of Broken Access Control Vulnerabilities

Broken access control vulnerabilities mostly lead to privilege escalation attacks and are characterized by how the malicious user exploits and modifies access rights. The primary forms of access control vulnerabilities include:

Horizontal Privilege Escalation

Horizontal privilege escalation vulnerabilities occur when a user can obtain access to the accounts of other regular users with the same level of permissions. An attacker can leverage these vulnerabilities to get the legitimate user‘s data and use it for a wide range of malicious acts such as ransomware attacks, financial fraud/unauthorized money transfer, exposure of sensitive files, and data deletion. A horizontal privilege escalation attack usually does not require sophisticated attack tooling and can be orchestrated with a few simple steps, such as:

• Modifying the URL‘s request ID parameter with legitimate user details obtained through some form of social engineering
• Reviewing the application code to identify authentication vulnerabilities at the source code level
• Using third-party code review tools combined with security testing tools
• Enumerating user accounts on Linux machines maintains their hold of the identification process

Context-based Privilege Escalation

A hybrid attack in which the malicious user first obtains access to regular user accounts and then uses broken vertical access controls to gain administrative rights. Context-based privilege escalation attacks also involve business logic exploitation that allows users to perform usually impossible actions within their security context. Examples of context-based privilege escalation include:

• Leveraging Insecure Direct Object Reference vulnerabilities to access critical resources via user-supplied input
• Using corrupt HTTP referrer headers to access functionality and sensitive files beyond their permitted context
• Location-based attacks

Vertical Privilege Escalation

Vertical privilege escalation, also known as privilege elevation, allows an unauthorized user to gain higher privilege levels, typically admin privileges. Vertical privilege elevation usually follows an initial attack, as the malicious user intends to obtain permissions beyond what the compromised subject already has. When compared to horizontal escalation, vertical privilege escalation attacks are more sophisticated since the hacker is required to perform root or kernel-level modifications to obtain administrative access.

Once the attackers gain access rights of admin users, they can inject malicious payloads at the code level, disrupt a sensitive business function, or impact the availability of the application‘s critical resources. Some common techniques hackers use to abuse vertical access controls include:

• Using the Windows Sysinternals suite to create backdoor administrative users
• Using process injection to mimic administrative functions
• Leveraging directory listing vulnerabilities to disclose information about the access control policy
• Using social engineering for direct access to admin accounts

Detecting Broken Access Control Vulnerabilities

Through comprehensive application security testing, Veracode Dynamic Analysis helps you generate an in-depth analysis of your tech stack’s security and access control. The platform includes scanners that collectively analyzes for broken access control vulnerabilities. These scanners include:

• CSRF Scanner: Helps prevent access control attacks using malicious payloads submitted through a trusted normal user.
• URL Fuzzer Scanner: Prevents privilege escalation attacks orchestrated through forced browsing or modifying URL request parameters with a relevant admin URL.
• HTTP Header Scanner: Prevents the use of modified HTTP referrer headers to access critical resources beyond the current security context
• Fingerprinting Scanner: Detect attack surfaces that expose application server implementations, privacy laws, and the web application‘s access control policy to external domains

Veracode Dynamic Analysis reduces manual efforts, and lets developers focus quickly on implementing secure design and threat mitigation policies. The platform also offers actionable security reports that can be shared across cross-functional teams, clients, and executives, encouraging a collaborative approach to security that spans across all verticals of your organization.

Broken Access Control Prevention Techniques

Multi-factor Authentication

Multi-Factor authentication (MFA) is a zero-trust approach to administering security that deploys a series of access control checks that make it difficult for a hacker to perform malicious activities even after acquiring legitimate user credentials. This multi-layered defense strategy combines different authentication mechanisms to validate a user‘s identity. In implementation, two or more proofs of identification (such as tokens or biometric IDs) are made a mandatory requirement before access is granted. This blocks unauthenticated users from exploiting a user account, preventing broken access control attempts.

Unlike other dynamic application security testing solutions that are disrupted by MFA setups during testing, Veracode Dynamic Analysis allows you to launch dynamic scans that automatically support your MFA configurations. This allows you to perform dynamic testing on web applications and APIs without turning off your MFA setup, helping you achieve a more automated dynamic scanning experience that ensures alignment with best practices.

Test and Audit Access Controls Frequently

Apart from manually testing control mechanisms, it is also recommended to adopt  automated scanning tools for continuous monitoring of access control flaws that misalign with an organization‘s security policy. While continuous testing and vulnerability scanning help teams evaluate access control mechanisms are working as intended, such tools also help uncover emerging vulnerabilities within access control systems.

Session Management

Session management is a critical consideration for building secure software. As such, the appropriate implementation of session IDs, authentication tokens, and cookies collectively prevent session hijacking attacks. Such deployments are provisioned to forcefully destroy session-associated data on an application server after a subject logs out of the application. Implementing session timeouts that require re-authentication and a fresh token when a user connects to the server after logout is also recommended. It is also a best practice to not expose session IDs in URLs, as attackers could exploit these for session theft techniques.

Strengthen Your Web Applications and APIs Against Attacks

Veracode Dynamic Analysis (DAST) helps you implement best practices and a continuous, automated security testing process to prevent and detect broken access control vulnerabilities in web applications. The solution integrates with almost all popular software stacks and security platforms, helping to initiate dynamic analysis testing within minutes.

See how Veracode can help you prevent, find and fix broken access control vulnerabilities to strengthen your software against attack with a free, 14-day trial of Veracode DAST Essentials.