Broken Access Control: The Quiet Killer in Web Applications
1 min read
Summary
Broken access control is the term used when an authenticated user is able to gain unauthorised access to data or systems that they should not be able to access.
This can include accessing other users’ data, performing administrator-only actions or escalating privileges.
Hunters can find vulnerabilities across multiple products and platforms including IDOR (Insecure Direct Object Reference), where a simple change in the URL can allow access to another user’s personal information; gaining administrative rights by guessing an endpoint; and JWT (JSON Web Token) role manipulation, where a hunter for a website found that JWTs were unsigned and the role was changeable, allowing access to the administrative panel.
To prevent broken access control this should be thoroughly tested for authentication and authorisation and server-side access control checks put in place, using RBAC (Role-Based Access Control) to verify a user’s role before granting access, validating object ownership and logging all access control failures.