2021 OWASP Top Ten: Broken Access Control

OWASP Top 10: Understanding Broken Access Control

Overview of Broken Access Control

• John Wagner introduces the OWASP Top 10 list for 2021, highlighting that the number one security risk is broken access control, which has risen from fifth place in 2017.

• A staggering 94% of applications tested exhibited some form of broken access control, with an average incident rate of 3.8%, indicating a critical vulnerability across many platforms.

Implications and Risks

• The prevalence of broken access control was noted with over 318,000 occurrences in the dataset reviewed by OWASP, emphasizing its significance as a security concern.

• The fundamental issue lies in allowing legitimate users access while preventing attackers from exploiting vulnerabilities; this requires robust access controls within applications.

Examples and Mechanisms

• An example illustrates how changing an ID in an API endpoint can lead to unauthorized data exposure if proper checks are not implemented.

• If input sanitization is inadequate, attackers could manipulate SQL queries to gain unauthorized access to sensitive information.

Best Practices for Mitigation

• Implementing additional checks such as verifying both the message ID and ownership can help secure API endpoints against unauthorized access.

• Common vulnerabilities include violations of the principle of least privilege and bypassing access controls through URL modifications or attack tools.

Specific Vulnerabilities Identified

• Violating the principle of least privilege allows excessive permissions beyond what users need for their roles, leading to potential exploitation.

• Bypassing access control checks can occur through direct object references or manipulating API requests without proper authorization mechanisms.

Conclusion on Access Control Issues

• Missing controls on HTTP methods (POST, PUT, DELETE) can expose APIs to unauthorized actions and data breaches.

Understanding Broken Access Control

Overview of Access Control Issues

• An unauthenticated user should not be able to access sensitive application information, such as URLs that provide app details. This poses a security risk if unauthorized users can retrieve this data.

• Non-admin users must also be restricted from accessing admin-specific URLs. Proper access control ensures that only authorized personnel can view or manipulate sensitive areas of an application.

• Force browsing to target URLs by unauthorized users indicates broken access control, which is a significant security vulnerability.

Preventative Measures for Access Control

• Implementing a "deny by default" policy is crucial in applications. This means that unless explicitly allowed, all access should be denied to enhance security.

• Enforcing record ownership is essential; users should not have unrestricted CRUD (Create, Read, Update, Delete) capabilities on records without proper authorization checks.

• Logging access control failures helps in monitoring and identifying potential breaches. Regularly reviewing logs allows for timely responses to unauthorized attempts.

Additional Security Recommendations

• Rate limiting APIs and controlling access can mitigate risks from automated attacks. This strategy helps protect against botnets and other malicious tools targeting the application.