Broken access control is a failure in implementing an access control policy that allows users to bypass the limitations set for their access. For example, the vulnerability enables a rank-and-file accounting staff member to have administrative access beyond his/her authority.
Broken access control also allows a user to access the resources meant for another user. For instance, Employee A can also view Employee B’s payroll records. The vulnerability becomes dangerous in the hands of threat actors. They can reset passwords, access and retrieve financial and other administrative records, and take control of the organization’s websites and applications.
Read More about “Broken Access Control”
Understanding what broken access control is requires a basic grasp of the concept and types of access controls. We’ll talk about them and other relevant ideas below.
What Is Access Control?
Access control refers to the security mechanism wherein application or platform users are granted specific access levels, depending on their level of authority. For example, several members may access a YouTube channel, but the information they can see and control depends on their role. They could be viewers, editors, or managers.
What Are the Types of Access Control?
There are several types of access control, including the following:
- Horizontal access controls: This type of control limits user access to their own resources. An employee, for example, should only be able to access his/her employment and payroll records. He/She shouldn’t be allowed to access the records of other employees.
- Vertical access controls: The YouTube roles mentioned above are examples of vertical access controls. User functions depend on the level of authority they have for the account. Viewers can’t make changes, while editors can update video titles and descriptions but can’t delete videos. Only managers can upload and delete videos.
- Context-based access controls: This type of control restricts user functionality based on his/her interaction with the application or platform. For example, you can no longer cancel a money transfer on PayPal once the transaction has gone through.
- Location-based access controls: Some websites and platforms restrict user access based on location. Netflix users in Asia, for example, can’t access the library for users in the U.S.
What Causes Broken Access Control?
Broken access control may occur due to application misconfiguration. In this case, thorough application testing can help detect and prevent this vulnerability. However, there are instances where threat actors purposely launch attacks to gain access control. These are called “access aggregation attacks,” where attackers use different tools and tactics to study and break the target’s systems.
Examples of such attacks are:
- Brute-force attack: Hackers use high-end tools that can come up with all possible password combinations until the right one gives them access to a user account.
- Password attack: In this type of attack, threat actors usually have a target user. They hack into the user’s device to see his/her password and use it to gain access to the target system.
- Dictionary attack: Passwords that contain dictionary-based words are easier to crack. Hackers use tools that can scan a dictionary file to look for a word that matches the password a user entered.
What Are the Impacts of Broken Access Control?
Now that we know what broken access control is, we understand how it can affect organizations. Once threat actors exploit any type of broken access control, they can perform unauthorized transactions, access and steal sensitive information, and virtually do anything they want. Here are some examples of the effects of broken access control.
- User data and other information stored in the platform can be modified, deleted, or transmitted.
- Attackers can gain administrative access and perform administrative functions.
- Threat actors can take over the website or platform administration.
- Threat actors can direct users to malicious pages or deface the website.
How Do You Prevent Broken Access Control?
Minimizing risks associated with broken access control requires a proactive approach. Aside from the strict implementation of access control policies, constant application testing can help detect vulnerabilities immediately before threat actors can exploit them.
Broken access control has been named one of the top 10 web application security risks by the Open Web Application Security Project (OWASP), a nonprofit organization that aims to improve software security.
Broken access control is a system failure that can have serious consequences. Early detection of this vulnerability can make a huge difference in an organization’s security.