Authentication / Improper Access Control

Description

Improper Access Control (CWE-284) is an IT vulnerability that enables an individual to gain access to unauthorized information or resources. This vulnerability is categorized under Authentication and can be found in Web applications and APIs. The OWASP Web Security Testing Guide (WSTG) outlines a number of tests that can be used to detect Improper Access Control, such as authentication testing, authorization testing and session management testing.

Risk

Improper Access Control can be a serious security risk, as it can allow an attacker to gain access to information and resources they are not authorized to access. In order to properly assess the risk of Improper Access Control, organizations should take into account the sensitivity of the data and resources that are being accessed, as well as the potential impact of the breach.

Solution

Organizations can mitigate the risk of Improper Access Control by implementing strong authentication and authorization mechanisms. This can include robust access control lists, the use of strong passwords, two-factor authentication, and the continuous monitoring of access logs.

Example

The following example is taken from the CVE-2020-8165 vulnerability. In this example, an authenticated user is able to access the API without proper authorization:

POST /api/user HTTP/1.1
Accept: application/json
Content-Type: application/json

{
   "username": "admin",
   "password": "password"
}

HTTP/1.1 200 OK
Content-Type: application/json

{
   "userId": "f44ae3e3-3a2e-4f26-8e6b-c6a7f6d72a4c",
   "username": "admin",
   "role": "admin"
}

In this example, the application is not properly validating the user's role, allowing the user to access the API with an admin role without proper authorization.