Authentication / Improper Access Control

Web and APIturingsecure Top 10

Description

Improper Access Control is an IT vulnerability that enables an individual to gain access to unauthorized information or resources. This vulnerability is categorized under Authentication and can be found in Web and API applications. According to the Common Weakness Enumeration (CWE) directory, Improper Access Control is defined as "a weakness that is related to a system's ability to restrict or prevent unauthorized access to resources or functionality" (CWE-284). The Open Web Application Security Project (OWASP) Testing Guide outlines a number of tests that can be used to detect Improper Access Control, such as authentication testing, authorization testing and session management testing (OWASP Testing Guide v4).

Risk

Improper Access Control can be a serious security risk, as it can allow an attacker to gain access to information and resources they are not authorized to access. In order to properly assess the risk of Improper Access Control, organizations should take into account the sensitivity of the data and resources that are being accessed, as well as the potential impact of the breach.

Solution

Organizations can mitigate the risk of Improper Access Control by implementing strong authentication and authorization mechanisms. This can include robust access control lists, the use of strong passwords, two-factor authentication, and the regular monitoring of access logs.

Example

The following example is taken from the CVE-2020-8165 vulnerability. In this example, an authenticated user is able to access the API without proper authorization:

POST /api/user HTTP/1.1
Accept: application/json
Content-Type: application/json

{
   "username": "admin",
   "password": "password"
}

HTTP/1.1 200 OK
Content-Type: application/json

{
   "userId": "f44ae3e3-3a2e-4f26-8e6b-c6a7f6d72a4c",
   "username": "admin",
   "role": "admin"
}

In this example, the application is not properly validating the user's role, allowing the user to access the API with an admin role without proper authorization.

Curious? Convinced? Interested?

Arrange a no-obligation consultation with one of our product experts today.