📒Access Control
What is access control
Access control is the act of determining who or what can perform which action on the requested resources. In web applications, access control is dependent on authentication and session management.
Authentication - confirms that the user is who they say they are
Session management - identifies which requests are made by the same user
Access control - determines the actions the user is allowed to perform
Broken access controls is a commonly encountered critical security vulnerability. Design and implementation of access controls are often complex and because all access control decisions are made by humans, the risk of errors is high.
Vertical access control
Vertical access control restricts access to sensitive functionality that is not available to other types of users. With this mechanism, different users will not be able to jump out of their roles and access something meant for other roles. For example, an administrator can modify or delete a user account, while ordinary users can't.
Vertical access control can be more fine-grained implementations of security models designed to enforce business policis such as separation of duties and least privilege.
Horizontal access control
Horizontal access control only allow permitted users to access the resources. With this mechanism, different users have access to a subset of resources of the same type. For example, users will be able to view their bank transactions and make payments, but not the accounts of other users.
Context-dependent access control
Context-dependent access control restricts the actions permitted based on the state of the application. This prevent users from performing actions in the wrong order. For example, an e-commerce website may prevent users from editing their shopping cart after making payments.
Examples of broken access controls
Vertical privilege escalation
Vertical privilege escalation happens when a user gains access to functionalities not meant for them or their given role. One example is when a normal user can access the admin control panel where they can modify and delete existing users.
Unprotected functionality
Vertical privilege escalation happens when an application does not enforce any protection over sensitive functionality. For example, users can access the admin control panel by simply browsing the relevant URL - https://insecure-website.com/admin
Security by obscurity - sometimes, sensitive functionalities are not robustly protected by are concealed by giving it a less predicatable URL. However, this is not an effective access control since users can still find the obfuscated URL through various methods.
For example, the obfuscated admin panel can be https://insecure-website.com/administrator-panel-yb556
While the URL might not be directly guessable by the attacker, there might be hints on the application that reveals the obfucated link.
<script>
var isAdmin = false;
if (isAdmin) {
...
var adminPanelTag = document.createElement('a');
adminPanelTag.setAttribute('https://insecure-website.com/administrator-panel-yb556');
adminPanelTag.innerText = 'Admin panel';
...
}
</script>Lab - Unprotected admin functionality with unpredictable URL
Parameter-based access control methods
Some applications determine the user's access rights or role at login, then store this information in a user-controllable location, such as a hidden field, cookie, or preset query string parameter. Subsequent access control decisions are based on the submitted value. For example:
https://insecure-website.com/login/home.jsp?admin=true
https://insecure-website.com/login/home.jsp?role=1However, this approach is fundamentally insecure as users can simply modify the value to acheive privilege escalation, accessing functionalities that they are not authorized to.
Lab - User role controlled by request parameter
Lab - User role can be modified in user profile
Horizontal privilege escalation
Preventing access control vulnerabilities
Last updated