Broken Access Control

Learning Objectives

Access Control

Access controls are the measures websites put in place to restrict the data users are allowed to read and write to. For example, in order to change a user’s notification preference on a website, you should first have to login as that user. If you aren’t logged in, or are logged in as a different user, you shouldn’t be able to modify these settings.

Broken Access Control

As an example of broken access control, imagine the following. A website might show a user’s settings page under the /users/{userId}/settings path. On the frontend, the site might have a settings button which, when clicked, redirects the user to their own settings page by embedding their User ID in the path. However, a malicious user could simply enter an arbitrary userId into the search bar directly and so access another user’s settings.

app.get("/users/:id/settings", async (req, res) => {
    /* 
        Must check the request is coming from the correct user
        and reject if not!
    */
    const user = await getUserData(req.params.id);
    res.render("settings", { user });
});

Other examples might include a standard user accessing an admin page, or a website failing to reject requests made by the browser whose session on the site has expired.

Preventing Broken Access Control

The most important principle for preventing broken access control vulnerabilities is to reject all requests for non-public resources by default. In most cases, it’s better to err on the side of caution and potentially reject legitimate requests rather than accept illegitimate requests.

Assignment

Additional Resources

OWASP Broken Access Control