usd HeroLab Top 5 Vulnerabilities 2020: Broken Access Control

usd AG News, Pentest Insights, Security Research

During penetration tests our security analysts repeatedly uncover gateways in IT systems and applications that pose significant risks to corporate security. They increasingly identify the same vulnerabilities in different IT assets, some of which have been known for years. In our mini-series, we present our top 5 most notable vulnerabilities from 2020. Part 2: Broken Access Control

Vulnerability Background

Broken access control refers to vulnerabilities in which endpoints or functionalities in an application are not sufficiently protected by authentication or authorization mechanisms. Attackers can access these endpoints or use corresponding functionalities without having sufficient permissions to do so. One of the most common reasons for the vulnerability to occur is that only client-side validation of requests is used, while no further checking is performed on the server side.

Exemplary hacker attack and its consequences

Our example is an application that validates user requests on the client side only. The following screenshot shows a corresponding error message when a low privileged user tries to access administrative application content.

Figure 1 Access to the administration in the form of an HTTP GET request is prevented by the application
Figure 2 HTTP POST request to set a password with a non-privileged user is still executed successfully

Although a low-privileged user cannot see the administrative section of the application, he can send the request shown above to reset the password of any user. Information about the corresponding endpoint could be obtained by an attacker from internal sources, the application‘s JavaScript code, or simply by guessing.

Recommended measures

Client-side access control should never be used as the only safeguard against unauthorized access. As demonstrated above, a lack of representation within the application does not prevent an attacker from using the endpoint anyway. Only validation on the server side can prevent unauthorized use of an endpoint. This applies not only to web applications but also to desktop applications (thick clients).

Please note that this is a very general recommendation for security measures. We are happy to support you with individual solutions. Feel free to contact us.

Read more about our top 5 most notable vulnerabilities and other exciting topics in our 2020 Annual Report.