usd HeroLab Top 5 Vulnerabilities 2020: Broken Access Control

25. May 2021

During penetration tests our security analysts repeatedly uncover gateways in IT systems and applications that pose significant risks to corporate security. They increasingly identify the same vulnerabilities in different IT assets, some of which have been known for years. In our mini-series, we present our top 5 most notable vulnerabilities from 2020. Part 2: Broken Access Control

Vulnerability Background

Broken access control refers to vulnerabilities in which endpoints or functionalities in an application are not sufficiently protected by authentication or authorization mechanisms. Attackers can access these endpoints or use corresponding functionalities without having sufficient permissions to do so. One of the most common reasons for the vulnerability to occur is that only client-side validation of requests is used, while no further checking is performed on the server side.

Exemplary hacker attack and its consequences

Our example is an application that validates user requests on the client side only. The following screenshot shows a corresponding error message when a low privileged user tries to access administrative application content.

Figure 1 Access to the administration in the form of an HTTP GET request is prevented by the application
Figure 2 HTTP POST request to set a password with a non-privileged user is still executed successfully

Although a low-privileged user cannot see the administrative section of the application, he can send the request shown above to reset the password of any user. Information about the corresponding endpoint could be obtained by an attacker from internal sources, the application‘s JavaScript code, or simply by guessing.

Recommended measures

Client-side access control should never be used as the only safeguard against unauthorized access. As demonstrated above, a lack of representation within the application does not prevent an attacker from using the endpoint anyway. Only validation on the server side can prevent unauthorized use of an endpoint. This applies not only to web applications but also to desktop applications (thick clients).

Please note that this is a very general recommendation for security measures. We are happy to support you with individual solutions. Feel free to contact us.


Read more about our top 5 most notable vulnerabilities and other exciting topics in our 2020 Annual Report.

Also interesting:

PCI DSS v4.0: INFI Worksheet Discontinued

PCI DSS v4.0: INFI Worksheet Discontinued

The Payment Card Industry Security Standards Council (PCI SSC) announced it is discontinuing the Items Noted for Improvement (INFI) Worksheet. INFI, a template for documenting items for improvement, had been introduced with PCI DSS v4.0. Effective immediately, QSAs...

The Surprising Complexity of Finding Known Vulnerabilities

The Surprising Complexity of Finding Known Vulnerabilities

IT security professionals need an efficient and reliable solution for identifying known vulnerabilities in a software product, given its name and version. Our colleagues at usd HeroLab place high demands on such a solution. They evaluated several available solutions...

Categories

Categories