**Note: The content in this article is only for educational purposes and understanding of cybersecurity concepts. It should enable people and organizations to have a better grip on threats and know how to protect themselves against them. Please use this information responsibly.**
Access control stands as a key part of keeping information safe. It plays a crucial role in managing who can use certain resources and carry out specific tasks within a system. It acts like a guard deciding who gets in based on their job and set rules. Good access control helps protect sensitive info, keep data accurate, and make sure only the right people can operate the system.
One major issue with access control is Insecure Direct Object Reference (IDOR). This happens when a program lets users get to or change things by tweaking input settings, like web addresses or form boxes, without checking if they’re allowed to. Let’s say a website has a link like /user?ID=100. A hacker might change the ID number to see someone else’s profile or private data. This issue comes from not checking user inputs well enough and not enforcing proper access rules.
A related problem is the Missing Functional Level Access Control. This security flaw occurs when an app doesn’t check access rights at different levels of its features. It means people might get into actions or parts of the app they’re not supposed to use. For example, a regular user could use admin tools because the app doesn’t limit access at the feature level. To control access well, every function or action in the app needs to be protected based on what the user is allowed to do.
Broken Access Control is a wider group that includes both IDOR and functional level access control that’s missing. It talks about cases where access control systems are either not set up right or missing, which leads to a bunch of security problems. These could involve getting into sensitive data without permission or escalating up to higher levels of access. For instance, threat actors might use these weaknesses to get more permissions than they should have, access private information, or perform restricted operations.
Walkthrough: Broken Access Control in badStore
- Register for a new account.
- Click on What’s New in the left panel and select the items you want to put into cart. Click on Add to Cart.
Notice that you are redirected to the home page and action you performed here is cartadd.
- Click on View Cart. Notice that the action you performed here is cartview.
- It is asking for card details to submit payment.
- If we want to bypass the submitpayment action, we can manipulate the action query parameter and directly place an order without payment.
Change action query parameter in URL to: order
Your order has been placed without even submitting payment.
Thus, we can use this vulnerability to buy unlimited number of products.
Prevention
- Avoid relying solely on obscurity; employ robust mechanisms instead.
- Default deny access to non-public resources unless explicitly authorized.
- Implement centralized access control mechanisms for consistency.
- Enforce strict guidelines for developers to declare and validate access permissions.
- Regularly audit and test access controls to ensure effectiveness and compliance.
Summary Points
- Register a new account.
- Add items to the cart (cartadd action).
- View the cart (cartview action).
- The system prompts for payment (submitpayment action).
- Manipulate the action query parameter in the URL.
- Change submitpayment to order, bypassing payment.
- Order is placed without making a payment, enabling unlimited purchases.
