Broken Access Control

Question :

 What is Access Control?

 What is Broken Access Control?

 What is Example of Broken Access Control ?

 What are Technical Impacts of Broken Access  Control?

 What are Business Impact of Broken Access Control ?

 What are the Risks Related to Broken Access Control?

 How to Find Broken Access Control From web Application?

 What are Countermeasure of Broken Access Control?

 What are Security Rules to Avoid Broken Access Control?

 What are best practices used for the prevention of the broken access control?

Answer :

About Access Control

Access control is a mechanism that provides the proper authorization of the object to be accessed by the authentic users. There are different types of access control mechanisms used to manage the authorization of accessibility of the information by the users. The common access control mechanisms are as follows.

Physical – An access control mechanism which limits the accessibility of physical system such as door, windows, premises etc come under the physical access control mechanism

Logical – An Access Control Mechanism such as password to authenticate the user access, software and token based access limitations etc come under the logical access control mechanism.

Administrative – A policy and process of the accessibility of information and information system accessibility defined, controlled and managed by a super user of the system come under the administrative access control mechanism.

 Broken Access Control

Broken access control is fifth of top ten OWSAP critical security risk of the web applications. It is also related with the broken authentication. The issues related to access control makes the website vulnerable and attacker gets the access to the user account on the website. Attacker changes the values related to the sensitive objects of the site which further causes the unauthorized access to the personalized contents from the website by attackers and hackers. Broken access control is a big problem with the web security. 

Example of Broken Access Control

By spear phishing attack the attacker exploits the website of taxation of department of revenue of South Carolina in year 2012. This was a type of broken access control which was launched to stole the taxpayer information data from the site without authorization by the attackers. Approximately 3 to 4 millions of social security numbers are stolen from the website by the attackers. Attacker bypassed the authentication process and access the confidential information of tax payers from the revenue department website.

Technical Impacts of Broken Access Control

There are various categories of technical impacts of the broken access control vulnerabilities over the web applications.

Attacker acts like the administrator of web application

Attacker can use the privileged functionalities of web application

Attacker can create, modify and also delete the record from the web application

Business Impact of Broken Access Control

It is also true that there broken access control impacts on the organizational business which facilitates the web based interface to the customers.

Loss of customer trust

Loss of Business trust

Loss of Revenue

Loss of Privacy

Loss of Data and information

Risks Related to Broken Access Control

Broken access control is considered as very sophisticated web security attack and also it is very simple attack. Attackers harvests the secret credentials of the users from the website by using the tools like Mimikatz, experiment the uniform resource locator and manipulate it. When unauthorized user accesses the files and functions anyway without authorization then broken access control web security vulnerability occurs. The risks related to this vulnerability are as follows.

Unauthorized access of personalized attack

Impersonation

Leak of confidential information

Damage of trust to the organization

Loosing Privacy

Finding of Broken Access Control From web Application

The steps required to find out the broken access control from the web application are as follows.

Prepare documentation of the policy related with access control

Decide to consider the broken access control

Make review of the code of the access control which is deployed on the web application

Perform penetration testing to find out vulnerability such as broken access control.

Countermeasure of Broken Access Control

The broken access control vulnerability can be prevented by following ways.

Multifactor authentication mechanism should be deployed on web applications

Isolate one session with other with the web application

Make session time out when user of web application is idle

Ensure to use secured cookies with web application

Security Rules to Avoid Broken Access Control

Basically, four important rule of thumb to secure the site from broken access control. These rules are given below.

Employ the password policy with strong password

Employ the hashed and encrypted storage of password

Apply the protection of session identity

Deploy password change control mechanism under password policy

Best practices for Access Control

Make explicit evaluation of all security framework documentation for access control requirements for website.

Must derive the decisions of access control through the session of users logging.

Apply centralized component of application of website to perform the checking of access. Regulate this for each of web page of website to each of the client.