Broken Access Control

Generic Broken Access Control

Overview of the Vulnerability

When access controls are broken, users are able to perform functions outside of their intended user functionality within the application. Access controls help enforce users' access and how they interact with applications and APIs through authorization. There can be vertical, horizontal, and conditional access controls which give a user their intended permissions within an application. Broken access control in this application can be leveraged by an attacker to elevate privileges, or manipulate, destroy, or disclose data, depending on the type of access control vulnerability being exploited.

Business Impact

Broken access controls can lead to financial loss through an attacker accessing, deleting, or modifying data from within the application. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application.

Steps to Reproduce

1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP

2. Use a browser to navigate to: {{URL}}

3. Login to an account that should not be able to perform {{action}}

4. Forward the following request to the endpoint:

{{request}}

1. Observe that the account now has additional user functionality and access to data it was previously not authorized to access

Proof of Concept (PoC)

The screenshot below demonstrates the broken access control:

{{screenshot}}

Guidance

Provide a step-by-step walkthrough with screenshot on how you exploited the vulnerability. This will speed triage time and result in faster rewards.

Your submission must include evidence of the vulnerability and not be theoretical in nature. For a broken access control vulnerability, please include a simple URL or HTTP payload that can be executed to easily demonstrate and reproduce the issue.

Attempt to escalate the broken access control to perform additional actions (such as an account takeover or sensitive data exposure). If this is possible, provide a full Proof of Concept here.

Recommendation(s)

Broken access controls can be remediated by implementing a handful of best practices relating to authentication and session management to ensure secure implementation. These include:

• Ensuring that access controls are designed thoroughly upfront and that each request goes through some form of access control check. By default, specific requests that are not explicitly allowed should be denied.

• All users, programs and processes should follow the principle of least privilege and only be given as little access as possible in order to complete their business functions.

• An application’s code should not contain any hardcoded roles as these can become fragile and difficult to enforce and audit.

For more information, refer to the following resources:

• https://owasp.org/www-project-proactive-controls/v3/en/c7-enforce-access-controls

• https://owasp.org/Top10/A01_2021-Broken_Access_Control/

• https://portswigger.net/web-security/access-control