OWASP In Depth: A01:2021 - Broken Access Control
Let's dive into the first risk in the OWASP Top 10...
The first risk in the OWASP Top 10 is Broken Access Control. Another way to describe this would be Missing Authorisation. This is a topic I’ve talked a lot about in past emails, and is easily the most common serious1 vulnerability I come across when auditing Laravel apps.
According to the official guide, Broken Access Control means:
Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of all data or performing a business function outside the user's limits.
With the following common vulnerabilities encompassed by Broken Access Control:
- Violation of the principle of least privilege or deny by default, where access should only be granted for particular capabilities, roles, or users, but is available to anyone.
- Bypassing access control checks by modifying the URL (parameter tampering or force browsing), internal application state, or the HTML page, or by using an attack tool modifying API requests.
- Permitting viewing or editing someone else's account, by providing its unique identifier (insecure direct object references)
- Accessing API with missing access controls for POST, PUT and DELETE.
- Elevation of privilege. Acting as a user without being logged in or acting as an admin when logged in as a user.
- Metadata manipulation, such as replaying or tampering with a JSON Web Token (JWT) access control token, or a cookie or hidden field manipulated to elevate privileges or abusing JWT invalidation.
- CORS misconfiguration allows API access from unauthorized/untrusted origins.
- Force browsing to authenticated pages as an unauthenticated user or to privileged pages as a standard user.
The guide also lists methods of preventing Broken Access Control, but we’ll get to that in a moment. First I want to pause and reassess the common vulnerabilities they’ve listed.
You’ll notice that a number of the vulnerabilities are fairly similar to others, with only subtle differences between them2. So to make it easier to work through the list, I’m going to summarise them into a few key areas that we can dive into and learn how they relate to Laravel.
- Violating the principle of least privilege.
- Insecure Direct Object References (IDOR).
- Missing or incomplete authorisation checks.
- Failure to validate access tokens.
Let’s tackle each of these in turn, looking at how they relate to Laravel apps and what you need to be aware of.