First things first, did you know that the OWASP acronym has changed from Open Web Application Security Project to Open Worldwide Application Security Project? Neither did we! But onto the real stuff.
Today we have another entry in the OWASP Top Ten Series – Broken Access Control. This is one of the most prevalent vulnerabilities that we find during application testing. And really, it isn’t just web or mobile applications that can be vulnerable to broken access controls – everything is. So what is a broken access control?
Broken Access Control refers to vulnerabilities where a malicious actor can bypass the intended permissions on an application and perform unauthorized actions. This can include actions like viewing sensitive data, modifying data they shouldn’t have access to, or even administering user accounts without appropriate permissions.
The OWASP website details some possible Broken Access Controls as:
Preventing Broken Access Control can involve:
One very common type of Broken Access Controls is an IDOR. Brackish Security testers find these in the majority of web application tests they perform. Also, for the Bug Bounty hunters out there, IDORs can be very lucrative. Dig deep and learn how an application operates, and an IDOR could benefit you financially.
Here are a few links on Broken Access Controls and IDORs that have been found in real life.
https://hackerone.com/reports/1323406
https://medium.com/@mrhavit/how-i-found-an-insecure-direct-object-reference-in-tiktok-c7303addf223
https://hackerone.com/reports/42587
As always, if you need the experts to test your applications, reach out to Brackish Security – Let’s Make the Bad Guys Salty!