A01:2021 – Broken Access Control

Questions and Answers

Which of the following is the most crucial aspect of effective access control?

• Frequent security audits of the network infrastructure.
• Enforcement in trusted server-side code or server-less API. (correct)
• Using client-side JavaScript for access control checks.
• Complex password policies for all users.

Access control failures can lead to unauthorized modification but not the destruction of data.

False (B)

What is the principle where access is granted only for particular capabilities, roles, or users, but is available to anyone?

Violation of the principle of least privilege or deny by default

Match the following attack techniques with their corresponding descriptions:

Parameter Tampering = Modifying URL parameters to bypass access controls. Insecure Direct Object References = Permitting viewing or editing someone else's account by providing its unique identifier. Elevation of Privilege = Acting as a user without being logged in or acting as an admin when logged in as a user. CORS misconfiguration = Allows API access from unauthorized/untrusted origins.

Which of the following is NOT a common access control vulnerability?

Using multi-factor authentication for all user logins (C)

Access control is less effective in server-side code where the attacker can modify the access control check.

False (B)

What type of attack involves replaying or tampering with a JSON Web Token to elevate privileges?

Metadata manipulation

Failing to invalidate stateful session identifiers after logout can lead to session __________

fixation

What is the purpose of rate limiting API access?

To minimize the harm from automated attack tooling. (C)

Deny by default is not a recommended security practice.

False (B)

What does CORS stand for, in the context of web application security?

Cross-Origin Resource Sharing

Access control mechanisms should be implemented _________ and reused throughout the application.

once

What should access controls enforce regarding records?

Enforce record ownership. (C)

Web server directory listing should always be enabled for easy access to files.

False (B)

What type of tokens should be short-lived to minimize the window of opportunity for an attacker?

Stateless JWT

Logging access control failures and alerting admins is important for __________ detection.

intrusion

Which of the following is an example of 'Force browsing' attack?

Accessing authenticated pages as an unauthenticated user (D)

Functional access control unit and integration tests should NOT be included by developers and QA staff.

False (B)

What is the primary consequence of broken access control?

Unauthorized information disclosure, modification, or destruction of data. (A)

Access control is most effective when implemented in client-side code.

False (B)

What principle should be followed when granting access to resources, roles or users?

Principle of least privilege

Bypassing access control checks can be achieved by modifying the URL, internal application state, or the HTML page, which is also known as parameter __________ or force browsing.

tampering

Which of the following is an example of elevation of privilege?

A standard user accessing an admin-only page. (A)

Disabling web server directory listing helps prevent information exposure.

True (A)

What type of attack involves replaying or tampering with a JSON Web Token (JWT) to elevate privileges?

Metadata manipulation (D)

What type of session identifiers should be invalidated after logout?

Stateful session identifiers

The configuration that allows API access from unauthorized/untrusted origins is called __________ misconfiguration.

CORS

Match the following access control vulnerabilities with their descriptions:

Insecure Direct Object References = Permitting viewing or editing someone else's account by providing its unique identifier. Force Browsing = Accessing authenticated pages as an unauthenticated user. Elevation of Privilege = Acting as an admin when logged in as a user. CORS Misconfiguration = Allows API access from unauthorized/untrusted origins.

Which of the following is a recommendation for preventing broken access control?

Implementing access control mechanisms once and re-using them throughout the application. (A)

What should domain models enforce regarding access controls?

Record ownership

For longer lived JWTs it's highly recommended to follow the __________ standards to revoke access.

OAuth

Which of the options is a failure related to access control?

permitting viewing or editing someone else's account (D)

Which of the following helps to minimize the harm from automated attack tooling?

Rate limiting API and controller access. (B)

What is the primary consequence of access control failures?

Unauthorized information disclosure, modification, or destruction of data (B)

What is the principle of least privilege?

Granting only the necessary access rights

Bypassing access control checks by modifying the URL is known as ______.

parameter tampering

Which of the following is a recommended method for preventing access control vulnerabilities?

Implementing access control mechanisms once and reusing them throughout the application (B)

Disabling web server directory listing helps prevent information disclosure.

True (A)

What type of testing should developers include to test access controls?

Functional unit and integration tests

Stateless JWT tokens should be ______ to minimize the window of opportunity for attackers.

short-lived

In the context of JWTs, what does the OAuth standard recommend for longer-lived tokens?

Revoking access (A)

Access control failures can lead to the violation of the principle of ______.

least privilege

What should access controls enforce regarding records within an application?

Record ownership, rather than universal access (C)

What should happen to stateful session identifiers after a user logs out?

They should be invalidated on the server

Permitting viewing or editing of someone else's account by providing its unique identifier is an example of a secure direct object reference.

False (B)

Which attack involves replaying or tampering with a JSON Web Token (JWT) to elevate privileges?

Metadata Manipulation (B)

Application business limit requirements should be enforced by ______.

domain models

What is the primary risk associated with broken access control?

Unauthorized information disclosure (A)

What security principle is violated when access is granted to anyone instead of specific roles or users?

Principle of least privilege

Disabling web server directory listing is a recommended practice to prevent exposing file metadata.

True (A)

To minimize harm from automated attack tooling, it is important to __________ API and controller access.

rate limit

Which of the following is a mitigation strategy against broken access control?

Denying by default, except for public resources. (C)

According to the material, it is not important to log access control failures.

False (B)

The use of unverified data in a SQL call is an example of what scenario of compromising account information?

SQL injection

An attacker forcing a browse to a URL is an example of ___________ if they are unauthenticated, or are not an admin.

flaw

CWE stands for Common Weakness Exposure based on the text provided.

False (B)

Access control enforces policy such that users can act outside of their intended permissions.

False (B)

Match the weakness to the description

Violation of principle of least priviledge = Access should only be granted for particular capabilities, roles, or users, but is available to anyone Bypassing access control checks = Modifying the URL (parameter tampering or force browsing), internal application state, or the HTML page, or by using an attack tool modifying API requests Elevation of privilege = Acting as a user without being logged in or acting as an admin when logged in as a user.

What is the principle of least privilege, in the context of access control?

Granting access only for particular capabilities, roles, or users, and denying access by default.

Modifying a URL to bypass access control checks is known as ______.

parameter tampering

Which of the following is a common access control vulnerability related to direct object references?

Permitting viewing or editing someone else's account by providing its unique identifier (C)

Disabling web server directory listing is a recommended practice to prevent access control vulnerabilities.

True (A)

A CORS ______ can allow API access from unauthorized origins.

misconfiguration

What should developers and QA staff include in testing to prevent access control issues?

Access control unit and integration tests (D)

In the context of JWTs, what does it mean for a token to be 'short-lived' and why is it important?

A short-lived token has a small window of opportunity for attackers to abuse it if compromised.

Access control failures should be ______ and admins should be alerted when appropriate.

logged

Deny by default means that, unless a specific exception is in place, access is ______

forbidden

Which of the following statements is correct regarding access control?

Access control mechanisms should be implemented once and re-used throughout the application. (A)

Using extremely long-lived, stateless JWT tokens is the best method for long session management.

False (B)

Flashcards

Broken Access Control

Enforces policies so users can't act outside intended permissions, preventing unauthorized data access/modification.

Principle of Least Privilege

Granting only necessary access rights, roles, or capabilities to users; denying access by default.

Parameter Tampering

Bypassing access controls by altering URLs, application state, HTML, or API requests to gain unauthorized access.

Insecure Direct Object References (IDOR)

Accessing another user's account by manipulating unique identifiers without proper authorization.

Privilege Escalation

Gaining higher-level privileges (e.g., admin) when logged in as a regular user, or acting as a user without logging in.

Metadata Manipulation

Replaying or altering tokens (like JWTs), cookies, or hidden fields to elevate privileges.

CORS Misconfiguration

Misconfigured Cross-Origin Resource Sharing, allowing unauthorized API access from untrusted origins.

Force Browsing

Attempting to access authenticated pages as an unauthenticated user, or privileged pages as a standard user.

Deny by Default

Deny all access by default, except for explicitly allowed public resources.

Centralized Access Control

Centralize and reuse access control mechanisms throughout the application to ensure consistency.

Record Ownership

Enforce access controls based on record ownership, limiting users to only create, read, update, or delete their own records.

Domain Model Enforcement

Enforce unique application business rules using domain models to control data access and manipulation.

Directory Listing Prevention

Disable web server directory listing and prevent sensitive files (e.g., .git, backup files) within web roots.

Access Control Logging

Log access control failures and alert admins to repeated failures.

API Rate Limiting

Limit API and controller access to minimize harm from automated attacks.

Session Invalidation

Invalidate stateful session identifiers on the server after logout.

JWT Management

Use short-lived JWTs and follow OAuth standards to revoke access for longer-lived JWTs.

Access Control Testing

Include unit and integration tests for access control functionality.

Account Parameter Manipulation

Modifying the 'acct' parameter in a URL to access another user's account details.

Forced Browsing to Admin Pages

Attempting to access admin pages directly without proper authentication or authorization.

Impact of Access Control Failures

Access control failures lead to unauthorized disclosure, modification, or destruction of data, or performing functions outside user limits.

Violation of Least Privilege

Grant access only for particular capabilities, roles, or users; don't give blanket access to everyone.

API Access Control

Missing access controls on POST, PUT, and DELETE requests expose APIs.

JWT Token Security

Short-lived JWTs minimize the attacker's window of opportunity. Follow OAuth standards to revoke access for longer ones.

SQL Injection Access

Occurs when applications use unverified data in SQL calls, allowing attackers to access any user's account.

Information Exposure

Exposure of sensitive information to unauthorized actors.

Business Logic as Access Control

Unique application business limit requirements should be enforced by domain models.

URL Tampering

Bypassing access controls by tampering with parameters in the URL.

Account Parameter Exploitation

Attacker alters the browser's 'acct' parameter to access another user's account.

Missing Access Control Attack

The application doesn't have code to prevent an unauthenticated user from accessing authenticated pages, or a non-admin from accessing admin pages.

URL Parameter Tampering

A common web vulnerability where an attacker exploits flaws in the server-side code to gain unauthorized access to resources by modifying URL parameters.

Cross-Site Request Forgery (CSRF)

An attack where an authenticated user is tricked into performing actions they did not intend, often through malicious websites.

Least Privilege

The practice of ensuring users have only the minimum necessary access rights to perform their job functions.

Server-Side Access Control

Access controls are verified by server-side code in a trusted environment.

Improper Access Control

When access control mechanisms are implemented improperly or are missing, potentially leading to unauthorized access.

JSON Web Token (JWT)

A token in web applications and APIs, often misused to replay or tamper with access control.

Cross-Origin Resource Sharing (CORS)

An HTTP-header based mechanism that allows a server to indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading of resources.

URL Modification Attacks

Modifying a URL to bypass access controls and gain unauthorized access to restricted resources.

Proper Authorization

The principle of verifying that a user has the necessary permissions before granting access to a resource or function.

Object References

Unique identifiers used to reference objects in a system; can be exploited if exposed and improperly validated.

Sensitive Information Exposure

Disclosing sensitive data through application responses or system outputs without proper restrictions.

Default Deny Access

Ensuring a system defaults to denying access unless explicitly granted, enhancing security.

Automated Attack Tooling

An automated method or tool used to exploit vulnerabilities in web applications.

Insecure Temporary Files

A process where temporary files are not securely handled, potentially leading to sensitive data exposure or unauthorized access.

Indirect Access Control

The practice of limiting the attack surface by restricting direct access to resources and requiring all access to go through a proxy.

Directory Listing

An application setting that lists the contents of a directory, potentially exposing sensitive files or information.

Access Control

Enforces policy so users act only within intended permissions, prevents unauthorized access/modification.

Insecure Direct Object Reference

Unique identifier, can be exploited to access another user's information.

Elevation of Privilege

An attack where the attacker gains additional privileges.

Default Deny

An access control model where access is denied unless specifically allowed.

Short-Lived JWTs

Shortening the lifespan of JWTs to minimize the window for attacks.

Forced Browsing (Admin Pages)

Attempting to access admin pages without proper authorization.

Study Notes

Broken Access Control Overview

• Broken access control moved from fifth position and is now a top concern
• 94% of applications tested exhibited some form of broken access control
• The average incidence rate is 3.81%
• It has the most occurrences in the dataset with over 318k
• Common Weakness Enumerations (CWEs) include:
  • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
  • CWE-201: Insertion of Sensitive Information Into Sent Data
  • CWE-352: Cross-Site Request Forgery

Description of Access Control Vulnerabilities

• Access control ensures users act within their intended permissions.
• Failures can lead to unauthorized:
  • Information disclosure
  • Modification
  • Destruction of data
  • Performance of business functions outside user limits
• Common vulnerabilities include:
  • Violating the principle of least privilege or deny by default
  • Bypassing access control checks via:
    • URL tampering
    • Modifying application state or HTML
    • Using attack tools to modify API requests
  • Permitting viewing/editing of other accounts via insecure direct object references
  • Accessing APIs with missing access controls for POST, PUT, and DELETE requests.
  • Privilege escalation by:
    • Acting as a user without login.
    • Acting as admin when logged in as a user
  • Manipulating metadata like JSON Web Tokens (JWT) or cookies to elevate privileges or abuse JWT invalidation.
  • CORS misconfiguration allowing API access from unauthorized origins.
  • Forced browsing to authenticated pages as an unauthenticated user or to privileged pages as a standard user.

Prevention Strategies

• Access control is effective in trusted server-side code or server-less APIs.
• Implementations should be server-side where attackers cannot modify checks or metadata.
• Key strategies:
  • Deny by default, except for public resources.
  • Implement and reuse access control mechanisms throughout the application to minimize Cross-Origin Resource Sharing (CORS) usage.
  • Enforce record ownership via access control models
  • Enforce unique application business limit requirements using domain models.
  • Disable web server directory listing and ensure sensitive file metadata (e.g., .git) and backup files are not present within web roots.
  • Log access control failures and alert administrators when appropriate (e.g., repeated failures).
  • Rate limit API and controller access to minimize harm from automated attack tooling.
  • Invalidate stateful session identifiers on the server after logout.
  • Short-lived, stateless JWT tokens are preferable to minimize the window of opportunity for attackers
  • Follow OAuth standards to revoke access for longer-lived JWTs.
• Include functional access control unit and integration tests during development and QA.

Example Attack Scenarios

Scenario 1: SQL Injection via Unverified Data

• Vulnerability: Application uses unverified data in a SQL call to access account information.
• Attack: Attacker modifies the 'acct' parameter in the browser to input any account number.
• Impact: If not verified correctly, attacker gains unauthorized access to any user's account.
• Example: https://example.com/app/accountInfo?acct=notmyacct

Scenario 2: Forced Browsing

• Vulnerability: Lack of access controls on specific URLs.
• Attack: Attacker attempts to access admin pages directly.
• Impact: Unauthorized access to sensitive pages or functionalities.
• Example:
  • https://example.com/app/getappInfo
  • https://example.com/app/admin_getappInfo
• Flaw exists if:
  • Unauthenticated user accesses any page that requires authentication
  • Non-admin user accesses an admin page.

Statistics

• CWEs Mapped: 34
• Maximum Incidence Rate: 55.97%
• Average Incidence Rate: 3.81%
• Average Weighted Exploit: 6.92
• Average Weighted Impact: 5.93
• Maximum Coverage: 94.55%
• Average Coverage: 47.72%
• Total Occurrences: 318,487
• Total CVEs: 19,013