Broken Access Control (BAC)

Broken Access Control (BAC) is a type of vulnerability that occurs when an application fails to enforce proper access control measures, allowing unauthorized users to access restricted resources or perform actions beyond their permissions. This vulnerability can lead to unauthorized data access, privilege escalation, and misuse of functionality, ultimately compromising the confidentiality and integrity of the system. BAC is a critical issue highlighted in the OWASP Top 10 and often involves Broken Object Level Authorization (BOLA) and Broken Function Level Authorization (BFLA).

Access control vulnerabilities arise when developers make incorrect assumptions about how users will interact with the application, leading to insufficient validation of user input or user roles. Attackers can exploit these vulnerabilities to access sensitive information, modify data, or escalate privileges by manipulating parameters and bypassing restrictions.

• Unauthorized access to sensitive data
• Privilege escalation
• Data leakage or modification
• Compromise of application security and integrity

1. Broken Object Level Authorization (BOLA):
   1. An e-commerce application provides access to user order details using the following endpoint:

      https://{your_ecommerce_app}.com/users/{user_id}/orders
      

   2. User A can access their own orders using /users/123/orders. However, if User A changes {user_id} to another user's ID (e.g., /users/124/orders), they can gain unauthorized access to User B's order details.
2. Broken Function Level Authorization (BFLA):
   1. A regular user modifies a URL intended for admin access:

      https://{your_app}.com/admin/settings
      

   2. By directly accessing /admin/settings, a low-privileged user gains access to administrative settings, which should be restricted to authorized admins only.
3. Horizontal Privilege Escalation:
   1. User A and User B have different access permissions. User A modifies a parameter like ?user_id=124 to access resources or data meant for User B, leading to unauthorized actions.
4. Vertical Privilege Escalation:
   1. A lower-privileged user intercepts and modifies tokens or cookies to access higher-privileged functionalities, bypassing intended access control mechanisms.

• The issue can be found in the source code on the server side.

• Implement Access Controls: Ensure access controls are consistently applied and enforced on both client and server sides.
• Follow the Principle of Least Privilege: Grant the minimum necessary permissions for users to perform their roles.
• Validate User Inputs: Check and validate all inputs to avoid unauthorized access via parameter tampering.
• Secure API Endpoints: Ensure that all API endpoints, especially POST, PUT, and DELETE, are properly protected with access controls.
• Use Secure Tokens: Implement short-lived, stateless JWTs or invalidate session identifiers on logout.
• Monitor and Log: Track access control failures and alert administrators for unusual activities

• CWE-284
• CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

• https://owasp.org/Top10/A01_2021-Broken_Access_Control/
• https://owasp.org/API-Security/editions/2023/en/0xa1-broken-object-level-authorization/
• https://owasp.org/API-Security/editions/2023/en/0xa5-broken-function-level-authorization/