What is Broken Access Control?
Broken Access Control is the #1 vulnerability in the OWASP Top 10 2021. It occurs when restrictions on what authenticated users are allowed to do are not properly enforced. This can lead to unauthorized information disclosure, modification, or destruction of data, or performing business functions outside the user's limits.
🎯 Common Attack Scenarios
- Insecure Direct Object References (IDOR): Accessing other users' data by manipulating parameters
- Privilege Escalation: Acting as a user without being logged in or acting as an admin when logged in as a user
- Metadata Manipulation: Replaying or tampering with JWT tokens, cookies, or hidden fields
- CORS Misconfiguration: Allowing unauthorized API access
- Force Browsing: Accessing authenticated pages as an unauthenticated user
⚠️ Impact
The impact of access control vulnerabilities can be severe:
- Unauthorized access to sensitive data
- Data modification or deletion
- Performing unauthorized business functions
- Complete account takeover
- Regulatory compliance violations
🛡️ Prevention
- Implement proper authentication and session management
- Use role-based access control (RBAC)
- Validate user permissions on every request
- Log access control failures and alert admins
- Rate limit API and controller access
- Disable web server directory listing
# Example of Vulnerable Code (PHP)
$user_id = $_GET['user_id'];
$query = "SELECT * FROM users WHERE id = $user_id";
// No access control check!
# Secure Code
$user_id = $_GET['user_id'];
$current_user = getCurrentUser();
if ($current_user['id'] != $user_id && !$current_user['is_admin']) {
throw new UnauthorizedException();
}
$query = "SELECT * FROM users WHERE id = $user_id";
🔍 How to Test
In the following labs, you'll practice identifying and exploiting broken access control vulnerabilities:
- Lab 1: Insecure Direct Object Reference (IDOR) - Learn how attackers can access other users' data
- Lab 2: Privilege Escalation - Discover how to gain unauthorized admin access
🔬 Lab 1: Insecure Direct Object Reference (IDOR)
Scenario: You're testing a banking application where users can view their account details. The application uses predictable user IDs in the URL parameters.
Click "View My Account" to see normal user access, then try the IDOR attack!
🚨 Vulnerability Explanation
This application is vulnerable because it:
- Uses predictable, sequential user IDs
- Doesn't validate that the requested user ID belongs to the authenticated user
- Trusts client-side parameters without server-side authorization
Real-world Impact: Attackers can enumerate and access all user accounts, potentially exposing sensitive financial information.
🔬 Lab 2: Privilege Escalation
Scenario: You're testing an admin panel that checks user roles. However, the application has flawed authorization logic that can be bypassed.
First access the user panel to see normal behavior, then try privilege escalation!
🎯 ADMIN PANEL ACCESSED!
⚠️ You've successfully escalated privileges! Here's what an attacker could access:
| User ID |
Username |
Email |
Role |
Last Login |
| 1001 |
john_doe |
john@company.com |
user |
2024-07-19 10:30 |
| 1002 |
jane_smith |
jane@company.com |
user |
2024-07-19 09:15 |
| 1003 |
admin_user |
admin@company.com |
admin |
2024-07-19 08:45 |
🚨 Vulnerability Explanation
This application is vulnerable because it:
- Relies on client-side role parameters that can be manipulated
- Doesn't properly validate user permissions on the server-side
- Uses predictable session token patterns
- Lacks proper authentication checks for admin functions
Real-world Impact: Attackers can gain administrative access, modify system settings, access all user data, and potentially compromise the entire application.