usd HeroLab Top 5 Vulnerabilities 2020: Broken Access Control

25. May 2021
News | Pentests & Security Analyses

During penetration tests our security analysts repeatedly uncover gateways in IT systems and applications that pose significant risks to corporate security. They increasingly identify the same vulnerabilities in different IT assets, some of which have been known for years. In our mini-series, we present our top 5 most notable vulnerabilities from 2020. Part 2: Broken Access Control

Vulnerability Background

Broken access control refers to vulnerabilities in which endpoints or functionalities in an application are not sufficiently protected by authentication or authorization mechanisms. Attackers can access these endpoints or use corresponding functionalities without having sufficient permissions to do so. One of the most common reasons for the vulnerability to occur is that only client-side validation of requests is used, while no further checking is performed on the server side.

Exemplary hacker attack and its consequences

Our example is an application that validates user requests on the client side only. The following screenshot shows a corresponding error message when a low privileged user tries to access administrative application content.

Figure 1 Access to the administration in the form of an HTTP GET request is prevented by the application
Figure 2 HTTP POST request to set a password with a non-privileged user is still executed successfully

Although a low-privileged user cannot see the administrative section of the application, he can send the request shown above to reset the password of any user. Information about the corresponding endpoint could be obtained by an attacker from internal sources, the application‘s JavaScript code, or simply by guessing.

Recommended measures

Client-side access control should never be used as the only safeguard against unauthorized access. As demonstrated above, a lack of representation within the application does not prevent an attacker from using the endpoint anyway. Only validation on the server side can prevent unauthorized use of an endpoint. This applies not only to web applications but also to desktop applications (thick clients).

Please note that this is a very general recommendation for security measures. We are happy to support you with individual solutions. Feel free to contact us.

Read more about our top 5 most notable vulnerabilities and other exciting topics in our 2020 Annual Report.

Application security | Broken Access Control | PENETRATIONSTEST | PENTEST | SICHERHEIT VON ANWENDUNGEN

Also interesting:

DORA Countdown: One Month Left Until the Deadline

DORA Countdown: One Month Left Until the Deadline

Dec 17, 2024

DORA, the Digital Operational Resilience Act, will fully apply as of 17 January 2025. We have summarized everything you need to know about the EU regulation, preparation and best practices from our news blog.

Sunset of PCI DSS v4.0 on 31 December 2024: Get Ready!

Sunset of PCI DSS v4.0 on 31 December 2024: Get Ready!

Dec 5, 2024

PCI DSS v4.0: In March 2024, version 4.0 of the Payment Card Industry Data Security Standard became mandatory after a two-year transition phase. Just a few months later, version 4.0.1 was released as a minor update of the standard, which will become mandatory on...

Top 3 Vulnerabilities in SSO Pentests

Top 3 Vulnerabilities in SSO Pentests

Nov 28, 2024

During their penetration tests (pentests), our security analysts at usd HeroLab repeatedly uncover vulnerabilities that pose significant risks to corporate security. They increasingly encounter the same vulnerabilities. Our blog series "Top 3 Vulnerabilities" presents...

Categories

Categories

#BeAware Cloud Security Customer Stories  | Cyber Defence  |  Cybersecurity Tips  |  Events & Community Financial Sector & Compliance  |  Life@usd  |  News  |  PCI -Tipps  |  PCI News Pentest Insights  |  Security Audits  |  Security Research  |  usd Updates