OWASP Broken Access Control
September 10th, 2022
Broken Access Control
application problems that allow attackers to access data they shouldn't
eg. other user's data
eg. system data like passwords file
a) direct object access
url probing
anti-pattern: database IDs in URLs
pattern: unique non-sequential IDs
pattern: generic URL that is session sensitive (eg. /users/me)
pattern: session-specific mapping from random IDs to real IDs
😞 service must populate all response URLs
😞 links will not persist across sessions (violates REST)
authorize access to objects
pattern: check on every request
information leakage
eg. size of your customer base (403 vs 404 on sequential customer IDs)
eg. email from a known customer (403 vs 404 on email address)
pattern: 404 instead of 403
Heuristic: if a caller is not authorized to see the contents of a resource, it should be as if the resource does not exist
b) directory traversal attacks
download
eg '../../../etc/passwd'
upload
pattern: create a random filename, store the client's filename as metadata
ref: common weakness enumeration - 22 path traversal
(src:
This post was referenced in: