OWASP A01 — Broken Access Control: What it is and why it’s important
The number one biggest web application security risk is broken access control, according to OWASP. So, what is broken access control and why is it such a big problem?
Why is access control so critical?
Access controls determine which users and which applications are authorized to see data in the application, make changes to the application, and even control how the application performs. A simple but effective access control mechanism is the lock on your front door. If you insert the right key into the lock, the lock grants you access to the house and all of the contents inside it.
Cars also have keys, but many cars have two different keys: the owner key and the valet key. The owner key works in all of the locks to provide unlimited access to the car; by contrast, the valet key will start the ignition, but won’t unlock the glove box or the trunk. The valet key protects these private areas, while also allowing the valet to perform their duties of parking and retrieving the car.
Web application access controls conform to the same principles, except with a much more sophisticated set of variables for actions that a user or application should be able to complete. A customer should be able to view, edit, modify, and delete their own data…but they should not be able to do any of those things for someone else’s information. A developer should be able to change the functionality of the application, but may not be able to see real customer data. An analytics application should be able to read all the data, but not change any of it.
Access controls have gotten extremely complicated as more web applications are built using APIs and microservices, and these systems operate without the traditional security perimeter. In order to add flexibility into the architecture, applications will accept requests from anywhere and everywhere.
Why is access control so often broken?
OWASP saw more than 318,000 broken access control issues in their dataset. In the 2021 revision, broken access controls moved from the 5th most common issue to the #1 most common issue.
Part of the reason that access control issues have exploded is because there are just more API communications than ever before. The vast majority of all web traffic is API calls, and with more usage comes more problems. But that’s not the only issue.
How we build digital applications has transformed completely in the past decade. Adopting a microservices architecture has lots of benefits, including faster iteration, easier maintainability, and more flexibility over time. But, microservices talk to each other using APIs. So, it’s very common to see a modern application that is very chatty, with hundreds of API calls for every transaction. This dramatically increases the number of API calls that could be vulnerable.
In addition, authentication and authorization have seen wholesale upgrades in security from previous models by implementing code-for-token exchanges, JWT tokens, and other access control mechanisms. These new mechanisms have a lot of flexibility to accommodate a variety of security and experience use cases. But, that additional flexibility means there are many new ways that access control can be over-scoped for a particular situation.
So, a combination of many, many more API calls; new flexible access control models; and a migration away from legacy architecture combine to create many potential points of failure for access control management.
The stakes are incredibly high
In practice, a broken access control system can destroy the core value proposition of the product. Gator Watches, a GPS-enabled smartwatch for kids ages 5–12. The device was supposed to give parents peace of mind to know where their kids are located, without exposing them to a full-featured smartphone too early.
Except the access control allowed any user to see the location of all the children wearing a Gator device. And the result is that tens of thousands of children’s real-time location was exposed to anyone on the internet. For many companies, this could be a business-ending class action lawsuit.
But narrower access control issues are also risky. Users can accidentally have admin rights. Attackers can scrape all the personal data of all users. Or delete all your photos.
How to monitor for broken access control
Unfortunately, it’s cumbersome to review every possible access control variation to test for a potential breaking change in every software release. That’s why most teams don’t do it.
A reasonable alternative approach is to monitor actual API traffic, to review what data elements are available and traversing across the data transport layer. If you see a service calling multiple personal account details may be a flag to review whether the traffic is legitimate. If you see an external application accessing admin data, it may be worth investigating whether the access is illegitimate. Once these issues are seen in production, they are typically straightforward to remediate; however, finding them without consistent monitoring can be almost impossible.
Instead of overloading your development teams with endless corner and edge case tests, monitoring live traffic can dramatically reduce the time to identify and remediate a broken access control vulnerability.
Originally published at https://www.bycontxt.com on July 5, 2022.
