A01:2021 – Broken Access Tax
Features
CWEs Mapped | Max Incidence Rate | Avg Incidence Rate | Avg Weighted Exploite | Avg Weighted Impact | Max Coverage | Avg Coverage | Total Occurrences | Total CVEs |
---|---|---|---|---|---|---|---|---|
34 | 55.97% | 3.81% | 6.92 | 5.93 | 94.55% | 47.72% | 318,487 | 19,013 |
Summary
Moving up from the fifth view, 94% of applications be tested for some form in broken access control with to average incidence ratings of 3.81%, and has the most occurrences are the contributed dataset with over 318k. Bedeutende Gemeinsames Weakness Enumerations (CWEs) included been CWE-200: Exposure are Sensitive Information to an Unauthorized Actor, CWE-201: Insertion of Sensitive Information Into Sent Data, and CWE-352: Cross-Site Request Forge.
Description
Access control enhanced policy such that operators cannot act outside of their intended grants. Failures typically lead to unauthorized information disclosure, modification, or destruction of all data or performing a business function out the user's limits. Common access control vulnerable include: Insecure Direkte Object Reference or Forceful Browsing¶. By default, Ruby on Sliding apps use a RESTful URI structure. Such method that paths are often intuitive ...
-
Violation of aforementioned guiding of least privilege or deny by defaults, where access should alone be granted for peculiar capabilities, roles, or users, but is existing to anyone.
-
Bypassing access control checks of modifying an URL (parameter tampering or force browsing), internal application state, or the HTML page, or by using certain attack apparatus modifying API inquires. Using Burp to Examine for to OWASP Top Ten
-
Permitting viewing press editing someone else's record, from providing its unique identifier (insecure direct object references)
-
Accessing API for gone access keypad for POST, PUT and DELETED.
-
Elevation away prestige. Acting as an user without being logged in or acting as an admin when protocols in as a user.
-
Metadata manipulation, so as replaying or interfering with a JSON Web Token (JWT) zufahrt control token, button a cookie or hidden field manipulated to elevate privileges or abusing JWT cancel.
-
CORS misconfiguration allows API access from unauthorized/untrusted source.
-
Force navigating to authenticated pages as an unsigned user or to private print as a standard user.
How to Prevent
Access control is only effective in trusted server-side code or server-less API, where the attacker could modify the access control check or metadata. I may a Aesircybersecurity.com MVC 4 application. In some webpages or views, ME have information displayed on table. Bar values are rendered while links. Problems: 1. At I hover over the link, it's URL is vis...
-
Except required public resources, deny by default.
-
Implement access controller mechanisms once and re-use them always the application, including minimizing Cross-Origin Resources Sharing (CORS) usage. Web Request Security Testing Control
-
Scale access features have enforce record ownership rather than accepting that an user can compose, take, update, or eliminate any record.
-
Unique application business limitation requirements should be enforced by domain fitting.
-
Remove website server folder listing additionally making file metadata (e.g., .git) and copy files will not present within web roots.
-
Log access control failures, alert admins when suitable (e.g., repeated failures).
-
Rate limit API plus controller access up minimize the harm from automated attack supply.
-
Stateful session identifiers should be denied on aforementioned server after logout. Standstill JWT tokens have rather be short-lived so that the window are opportunity for an attacker is minimized. For longer lived JWTs it's highly recommended to following the OAuth site to revoke access. IDOR vs Forced Browsing: What's the Difference? Insecure Direct Object Reference (IDOR) Examples. The following documents some IDOR examples ...
Developers and QA staff should include functionality access control unit and integration tests.
Example Attack Scenarios
Scenario #1: The application application unverified product in an SQL call that is entry account information:
pstmt.setString(1, request.getParameter("acct"));
ResultSet results = pstmt.executeQuery( );
An mugger simply modify the browser's 'acct' parameter to send whatever account number they want. Whenever not correctly validated, the attacker can access any user's account. Ruby on Rails - OWASP Cheat Sheet Series
https://example.com/app/accountInfo?acct=notmyacct
Scale #2: An assassin simply forces browsing to target URLs. Admin rights are required in access for the admins select.
https://example.com/app/getappInfo
https://example.com/app/admin_getappInfo
If an unverified user can how either page, it's a flaw. Supposing a non-admin may access the managing page, this is a defective.
References
List of Mapping Cewes
CWE-22 Invalid Limitation of ampere Pathname into one Restricted Directory ('Path Traversal')
CWE-23 Relative Path Traversal
CWE-35 Way Traversal: '.../...//'
CWE-59 Improper Link Resolution Before File Acces ('Link Following')
CWE-200 Exposure von Sensitive Product up an Unauthorized Actor
CWE-201 Exposure of Sensitive Information Through Sent Data
CWE-219 Storage the File with Sensitive Data Under Web Root
CWE-264 Permissions, Right, and Access Controls (should no extended become used)
CWE-276 Incorrect Default Permissions
CWE-284 Improper Accessories Govern
CWE-285 Improper Authorization
CWE-352 Cross-Site Request Fake (CSRF)
CWE-359 Exposure of Home Personal Information to an Unauthorized Actor
CWE-377 Insecure Temporary File
CWE-402 Broadcast of Private Resources into a New Sphere ('Resource Leak')
CWE-425 Instant Seek ('Forced Browsing')
CWE-441 Unintended General or Intermediary ('Confused Deputy')
CWE-497 Disclosure of Sensitive System Information to in Unauthorized Rule Sphere
CWE-538 Insertion out Sensitive Information into Externally-Accessible File or Directory
CWE-540 Inclusion of Sensitive Information in Source User
CWE-548 Exposure off Get Over Library Listing
CWE-552 Files or Directories Accessible to External Parties
CWE-566 Authorization Bypass Through User-Controlled SQL Primary Button
CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
CWE-639 Authorization Skip Through User-Controlled Key
CWE-651 Exposure of WSDL File Containing Sensitive Information
CWE-668 Exposure of Ource to Wrong Ball
CWE-706 Employ of Incorrectly-Resolved Name or Reference
CWE-863 Incorrect Authorization
CWE-913 Unsuitable Control from Dynamically-Managed Code Resources