search

1. Broken Access Control

hashtag
What is Broken Access Control?

circle-info

Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of all data or performing a business function outside the user's limits.

hashtag
Scenario 1

The application uses unverified data in a SQL call that is accessing account information:

 pstmt.setString(1, request.getParameter("acct"));
 ResultSet results = pstmt.executeQuery( );

An attacker simply modifies the browser's 'acct' parameter to send whatever account number they want. If not correctly verified, the attacker can access any user's account.

 https://example.com/app/accountInfo?acct=notmyacct

hashtag
Scenario 2

An attacker simply forces browses to target URLs. Admin rights are required for access to the admin page.

 https://example.com/app/getappInfo
 https://example.com/app/admin_getappInfo

If an unauthenticated user can access either page, it's a flaw. If a non-admin can access the admin page, this is a flaw.

hashtag
Reference

LogoA01 Broken Access Control - OWASP Top 10:2021owasp.orgchevron-right
A01 Broken Access Control - OWASP
PreviousOWASP Top 10Next2. Cryptographic Failures

Last updated