During penetration tests our security analysts repeatedly uncover gateways in IT systems and applications that pose significant risks to corporate security. They increasingly identify the same vulnerabilities in different IT assets, some of which have been known for years. In our mini-series, we present our top 5 most notable vulnerabilities from 2020. Part 2: Broken Access Control
Broken access control refers to vulnerabilities in which endpoints or functionalities in an application are not sufficiently protected by authentication or authorization mechanisms. Attackers can access these endpoints or use corresponding functionalities without having sufficient permissions to do so. One of the most common reasons for the vulnerability to occur is that only client-side validation of requests is used, while no further checking is performed on the server side.
Exemplary hacker attack and its consequences
Our example is an application that validates user requests on the client side only. The following screenshot shows a corresponding error message when a low privileged user tries to access administrative application content.
Client-side access control should never be used as the only safeguard against unauthorized access. As demonstrated above, a lack of representation within the application does not prevent an attacker from using the endpoint anyway. Only validation on the server side can prevent unauthorized use of an endpoint. This applies not only to web applications but also to desktop applications (thick clients).
Please note that this is a very general recommendation for security measures. We are happy to support you with individual solutions. Feel free to contact us.
Read more about our top 5 most notable vulnerabilities and other exciting topics in our 2020 Annual Report.