Broken Access control (BAC) is a common website vulnerability that allows cyber attacks to access pages/endpoints/resources that they shouldn’t have access to. In 2021 OWASP rated Broken Access control as the Number 1 vulnerability. This vulnerability will remain one of the most common and concerning vulnerabilities for all time as the protection is manual to implement, can be complicated and can be forgotten.
One way to think about Broken Access control is with the analogy of a lock on a door. If the lock wasn’t installed correctly, the lock is weak, it is not working correctly or the lock was accidentally forgotten, then that is Broken access control.
The reason it can be complicated could be related to how the code was structured or how the access needs to be provided in a complicated way for some people but not for others.
Broken Access can sometimes be referred to as IDOR (Insecure Direct Object Reference) as IDOR is Broken Access with a direct reference. The direct reference is typically a number that you can just change to access a resource on a page/endpoint. So combined with Broken Access, you can access all objects by trying all the numbers from 1 to 1million.
The way to fix Broken Access is to check the access has been granted. This is checking the user is authenticated (user/pass/2fa) and that this authenticated user is allowed access to the page/endpoint/resource.
In code this can be as simple as a single “If” to check if the USER has an access ROLE, or is part of a GROUP/ENTITY, or has the assigned PERMISSIONS.
We find Broken Access more than 70% of the time during our Website Penetration Tests. Therefore we expect that most websites will have Broken Access Control vulnerabilities.