The next item in the OWASP Top 10 is broken access control. In today’s digital world almost every application, device, the software has an access control mechanism in place. An authenticated user is allowed to do only data or features that are within that user’s scope. But if a user is able to get access to features that are beyond that user’s scope, then this causes serious problems. Sometimes a user gets access to other user’s information and accounts due to broken access control in the application. This poses a risk to the data, privacy, and other information from other users.
Access control is simply setting up some rules for users, to clearly define what they are allowed to access. Broken access control means when the access control mechanism is not working and users are getting access to other accounts, data, information, access right. Remember the broken authentication is when you break into someone’s account, while broken access control is the same but in this case, you are an authorized user who is crossing the limits intentionally or by taking advantage of application flaws. Do not confuse broken access control with broken authentication, there is a thin line between.
How to implement strong access controls?
1. Access Roles and Managers
Any application or software has a lot of features and functionalities. Each feature has its own importance. Let us understand this with a simple example, An application has a user space, technical support team space, developer space, and finally admin space. Each user in each space has their own access levels and they can access only up to a certain level of application. As an application architect, we should clearly define the rules of each of these access levels. We should protect the access space by forcing hard authentication and verifications. As the number of users grows this becomes more important how we manage a huge number of users. We will also need to make sure in userspace there should be no access violation between user 1 and user 2. This is like within one space now we have sub-spaces.
2. Monitoring and Notification
The second technique is monitoring, notifying, and responding to access control failures. When we design our application we should put a monitoring mechanism in place for access control. There are a lot of techniques that can be used, like logging, notifying users by email, texts, calls. If the system detects broken access then it should notify the right person, that someone is trying to make a change. With the help of logging, it can be traced back who and how the access got broken. It helps in improving the systems and avoid future incidence.
We always focus on testing our applications to find the issues before we ship our products. We use automated tools, scripts, we deploy manual testers. These days we even perform penetration testing to find out vulnerabilities But access control risks are such of cases that are very hard to find with automation. Manual testing is the best and suggested way of testing to find out broken access control. It starts with reviewing the access control mechanism and manually try to take advantage of any of the broken areas. Negative manual testing is the right word where a tester tries its best to break the system. This helps a lot to improve the application from all the loopholes.