Broken Access Control

application problems that allow attackers to access data they shouldn't

eg. other user's data

eg. system data like passwords file

a) direct object access

url probing

• anti-pattern: database IDs in URLs

• pattern: unique non-sequential IDs

• pattern: generic URL that is session sensitive (eg. /users/me)

• pattern: session-specific mapping from random IDs to real IDs

• • 😞 service must populate all response URLs

  • 😞 links will not persist across sessions (violates REST)

authorize access to objects

• pattern: check on every request

• information leakage

• • eg. size of your customer base (403 vs 404 on sequential customer IDs)

  • eg. email from a known customer (403 vs 404 on email address)

  • pattern: 404 instead of 403

Heuristic: if a caller is not authorized to see the contents of a resource, it should be as if the resource does not exist

b) directory traversal attacks

download

• eg '../../../etc/passwd'

upload

• pattern: create a random filename, store the client's filename as metadata

ref: common weakness enumeration - 22 path traversal

(src:

• Model: OWASP top 10

• Book: release it! - Michael Nygard)