Broken access control represents all security flaws within an application that arise due to insufficient or missing authorization checks regarding a user's access privileges to some resource.
Exploiting this vulnerability, an attacker could elevate their privilege or pivot horizontally.
Elevation of Privilege
By elevating their privileges an attacker could gain administrative access to certain resources or features that a regular user would not have access to (e.g., access to modify or deactivate other users on the platform).
The most basic form of elevation of privileges in website security is unprotected administrative functionality. For example, having free access to the /admin
endpoint of a website. These endpoints might be "hidden" from regular users as they might not have a navigation link, but without any proper access controls (known as Security by Obscurity) this is not effective as if the URL is leaked, anyone can simply access this hidden page and potentially gain administrative permissions.
Some ways to leak these hidden pages are:
/robots.txt
- Wordlist brute-force
Horizontal Pivot
If an attacker could not elevate their privileges, they might attempt to pivot horizontally (i.e., access a different non-administrative account) to leak information or access resources available to different users.
For example, consider a banking application in which when a user logs in, they can see that in the URL they have something like /transactions?account_id=15231
. If ineffective access controls are in place, an attacker could change the account_id
parameter to a different value and access another user's transaction history, such as /transactions?account_id=15232
.
Another problem with this is that account_id
is easily guessable and easy to brute-force (e.g., start from 1 and increment by 1 each time). Therefore, IDs ideally should be unique, randomly generated, and independent from previous values; such as UUIDs.