Broken access control

2.4 Given a scenario, recommend controls to mitigate attacks and software vulnerabilities.

📘CompTIA CySA+ (CS0-003)

Overview

Access control is the system that decides who can do what in an IT environment. It ensures that users can only access resources they are allowed to—like files, applications, or system functions.

Broken access control happens when these rules fail, letting users do things they shouldn’t be able to do. This can lead to serious security risks.

Types of Broken Access Control

Here are the common ways broken access control appears:

  1. Horizontal Privilege Escalation
    • A user accesses resources of another user with the same role.
    • Example:
      • A regular employee can view another employee’s HR records.
      • In IT: An account with role “user” can read files from another “user” without permission.
  2. Vertical Privilege Escalation
    • A user performs actions meant for higher-privileged users (admins or managers).
    • Example:
      • A normal user modifies server settings or deletes users.
      • In IT: A “user” account is able to access the admin dashboard.
  3. Missing Function-Level Access Control
    • Functions or endpoints that should be restricted are publicly accessible.
    • Example:
      • An internal API that deletes user accounts is callable by anyone logged in.
  4. Insecure Direct Object References (IDOR)
    • Users manipulate identifiers (like URLs or file IDs) to access data they shouldn’t.
    • Example:
      • Changing userID=100 to userID=101 in a web URL lets you see another user’s info.
  5. Excessive Permissions
    • Users have more access than needed for their job.
    • Example:
      • A marketing employee can modify finance files.

Causes of Broken Access Control

  1. Poorly configured roles and permissions.
  2. Lack of proper server-side checks (relying only on client-side checks).
  3. Hard-coded access logic that ignores dynamic checks.
  4. APIs or endpoints not properly protected.
  5. Developers assuming users will behave “correctly.”

Impact of Broken Access Control

Broken access control can lead to:

  • Data theft: Sensitive files or personal information stolen.
  • Unauthorized changes: Users modify data or system settings.
  • Privilege escalation: Users gain admin powers without authorization.
  • System compromise: Attackers gain deeper access to internal systems.

This is high-risk because it can affect confidentiality, integrity, and availability (CIA) of systems.

Mitigation and Recommended Controls

To prevent broken access control, follow these strategies:

1. Enforce Role-Based Access Control (RBAC)

  • Assign users only the permissions they need for their role (principle of least privilege).
  • Example: Marketing team cannot access HR or Finance systems.

2. Use Server-Side Enforcement

  • Always validate permissions on the server, not just on the client or frontend.
  • Example: Even if a “Delete” button is hidden in the UI, the server should reject unauthorized delete requests.

3. Deny by Default

  • Users should not have access unless explicitly granted.
  • Example: Newly created files are private by default unless shared.

4. Protect APIs and Endpoints

  • Ensure sensitive functions require proper authentication and authorization.
  • Example: /deleteUser API must only be accessible by admin roles.

5. Implement Logging and Monitoring

  • Track access attempts, especially failed or unauthorized access attempts.
  • Example: If a user tries to access an admin page, log it and alert security.

6. Avoid Hard-Coding Access

  • Don’t rely on fixed access logic in the code; use dynamic role checks.

7. Regular Access Reviews

  • Periodically review user accounts and permissions to remove unnecessary access.

8. Test for Broken Access

  • Use penetration testing and automated tools to find broken access control issues.
  • Example tools: Burp Suite, OWASP ZAP, and Nessus can test for IDOR and privilege escalation vulnerabilities.

Exam Tip

  • Remember the difference between horizontal and vertical escalation.
  • Focus on server-side validation—client-side validation alone is not enough.
  • Know examples like IDOR and excessive permissions—these often appear in scenario questions.
  • Think in terms of least privilege and deny by default for mitigation.

Key Takeaways for Students

  • Broken access control = users can do things they shouldn’t.
  • Main risks: data breaches, privilege escalation, system compromise.
  • Mitigation = least privilege, server-side enforcement, regular access reviews, and monitoring.
Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by