Broken Access Control

application problems that allow attackers to access data they shouldn't

eg. other user’s data eg. system data like passwords file

a) direct object access url probing

  • anti-pattern: database IDs in URLs
  • pattern: unique non-sequential IDs
  • pattern: generic URL that is session sensitive (eg. /users/me)
  • pattern: session-specific mapping from random IDs to real IDs
    • 😞 service must populate all response URLs
    • 😞 links will not persist across sessions (violates REST)

authorize access to objects

  • pattern: check on every request
  • information leakage
    • eg. size of your customer base (403 vs 404 on sequential customer IDs)
    • eg. email from a known customer (403 vs 404 on email address)
    • pattern: 404 instead of 403

Heuristic: if a caller is not authorized to see the contents of a resource, it should be as if the resource does not exist

b) directory traversal attacks download

  • eg ‘../../../etc/passwd’

upload

  • pattern: create a random filename, store the client’s filename as metadata

ref: CWE - CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) (4.8)

(src: