Understanding Broken Access Control (BAC)

Broken Access Control (BAC) is a significant vulnerability type where unauthorized users gain access to sensitive features or data within an application. This flaw often arises when there are insufficient permission checks or when the application fails to restrict user access appropriately.

BAC is a prevalent issue due to its complexity and the bespoke nature of the permissions framework in many applications. Despite advancements in secure coding practices, BAC vulnerabilities remain prevalent, currently topping the OWASP Top Ten list. Understanding and detecting these vulnerabilities is crucial for enhancing application security.

Illustrative Examples of BAC

• Unauthorized Viewing on E-commerce Platforms: Consider an online store's URL structure like /users/482, where a user can change 482 to another number, gaining access to someone else's data. This instance illustrates a BAC issue, often resulting in significant data breaches.

• Unauthorized Transactions in Banking: Imagine altering a bank transfer request to make it seem like it originates from another account. This example shows how attackers can exploit BAC to perform unauthorized financial transactions.

BAC vs. IDOR

Insecure Direct Object Reference (IDOR) is a subset of BAC, where the attacker can access a resource by directly altering its identifier. However, not all BAC issues are IDORs. For instance, privilege escalation or HTTP verb tampering also count as BAC vulnerabilities but are distinct from IDOR.

The Persistence of BAC Issues

Despite being well-documented, BAC issues are difficult to eliminate. This persistence is due to the complexity of defining clear, consistent access-control rules across diverse application functions. As developers focus on prevention, BAC bugs are still discovered by dedicated security researchers, often yielding substantial bug bounties.

Common Identifiers Leading to BAC

• User-Chosen: Simple identifiers like usernames or email addresses.
• Natural Keys: Data inherent identifiers, such as social security numbers.
• Composite Keys: A combination of several fields to create a unique identifier.
• Numeric Identifiers: Sequentially assigned numbers, prone to exploitation through simple modification.
• UUIDs and Hashes: More secure options, like universally unique identifiers or file hashes, are harder to exploit unless identifiers are leaked.

Techniques for Identifying BAC

• Permissions Mapping: Create a comprehensive map of user roles and actions to detect vulnerabilities by checking if any unauthorized users can perform restricted actions.

• Tools like Autorize: Utilize tools that replay requests to identify discrepancies in access permissions, assisting in the detection of unauthorized access paths.

Concluding Thoughts

Broken Access Control vulnerabilities continue to be a major issue in application security, demanding constant vigilance and thorough testing. For aspiring security researchers, mastering BAC offers a rewarding entry point into the world of bug hunting. Dive into these challenges, armed with knowledge and curiosity, and contribute to a safer digital world.

For more detailed insights, refer to the original article from HackerOne.