usd HeroLab Top 5 Vulnerabilities 2020: Broken Access Control

25. May 2021

During penetration tests our security analysts repeatedly uncover gateways in IT systems and applications that pose significant risks to corporate security. They increasingly identify the same vulnerabilities in different IT assets, some of which have been known for years. In our mini-series, we present our top 5 most notable vulnerabilities from 2020. Part 2: Broken Access Control

Vulnerability Background

Broken access control refers to vulnerabilities in which endpoints or functionalities in an application are not sufficiently protected by authentication or authorization mechanisms. Attackers can access these endpoints or use corresponding functionalities without having sufficient permissions to do so. One of the most common reasons for the vulnerability to occur is that only client-side validation of requests is used, while no further checking is performed on the server side.

Exemplary hacker attack and its consequences

Our example is an application that validates user requests on the client side only. The following screenshot shows a corresponding error message when a low privileged user tries to access administrative application content.

01 broken access control 1
Figure 1 Access to the administration in the form of an HTTP GET request is prevented by the application
02 broken access control 1
Figure 2 HTTP POST request to set a password with a non-privileged user is still executed successfully

Although a low-privileged user cannot see the administrative section of the application, he can send the request shown above to reset the password of any user. Information about the corresponding endpoint could be obtained by an attacker from internal sources, the application‘s JavaScript code, or simply by guessing.

Recommended measures

Client-side access control should never be used as the only safeguard against unauthorized access. As demonstrated above, a lack of representation within the application does not prevent an attacker from using the endpoint anyway. Only validation on the server side can prevent unauthorized use of an endpoint. This applies not only to web applications but also to desktop applications (thick clients).

Please note that this is a very general recommendation for security measures. We are happy to support you with individual solutions. Feel free to contact us.


icon dokument orange 040

Read more about our top 5 most notable vulnerabilities and other exciting topics in our 2020 Annual Report.

Also interesting:

usd PCI Best Practice Workshop 2021

usd PCI Best Practice Workshop 2021

For many years, the usd PCI Best Practice Workshop has brought together responsible PCI personnel from companies of all sizes and from all industries to discuss current topics from the world of payment card industry together with PCI experts from usd. The interactive...

Security Advisory 09/2021

Security Advisory 09/2021

The usd HeroLabs pentesters have identified vulnerabilites in the products of the manufacturers Matrix42 and Themeco while conducting their security analyses. Specifically, this is a Stored Cross-Site Scripting and a Symlink vulnerability. The disclosure of...

3 Reasons for a Cloud Security Audit

3 Reasons for a Cloud Security Audit

Outsourcing applications and data to the cloud brings significant benefits for companies, but at the same time also new challenges for the corresponding IT departments. The technologies and processes of a cloud environment differ from those of local data centers....

Categories

Categories