OWASP A01:2021 - Broken Access Control

Overview

Broken Access Control is the #1 vulnerability in the OWASP Top 10 2021, moving up from the 5th position in 2017. This category represents failures in enforcing policies such that users cannot act outside of their intended permissions.

Risk Rating: High CWE Mappings: 34 CWEs mapped to this category Prevalence: 94% of applications tested had some form of broken access control

What is Access Control?

Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of data, or performing business functions outside the user's limits.

Common Vulnerabilities

1. Vertical Privilege Escalation

• Description: Lower-privileged users gain access to higher-privileged functions

• Example: Regular user accessing admin panel via direct URL manipulation

2. Horizontal Privilege Escalation

• Description: Users access resources belonging to other users at the same privilege level

• Example: User A accessing User B's account data by changing account ID parameter

3. Insecure Direct Object References (IDOR)

• Description: Application provides direct access to objects based on user-supplied input

• Example: /download?file=../../../etc/passwd

4. Missing Function Level Access Control

• Description: UI hides functions but server-side access control is missing

• Example: Admin functions accessible via direct API calls

5. CORS Misconfigurations

• Description: Overly permissive Cross-Origin Resource Sharing policies

• Example: Access-Control-Allow-Origin: * with credentials

Testing Methodology

1. Reconnaissance Phase

• Identify user roles and access levels

• Map application functionality and endpoints

• Analyze client-side code for hidden functions

• Review API documentation if available

2. Authentication Bypass Testing

# Test for authentication bypass
curl -X GET "https://target.com/admin" -H "User-Agent: Mozilla/5.0"

# Test with common bypass headers
curl -X GET "https://target.com/admin" -H "X-Forwarded-For: 127.0.0.1"
curl -X GET "https://target.com/admin" -H "X-Real-IP: 127.0.0.1"
curl -X GET "https://target.com/admin" -H "X-Originating-IP: 127.0.0.1"

3. Parameter Manipulation Testing

# IDOR testing - change user IDs
GET /user/profile?id=1234 → /user/profile?id=1235

# Test different formats
GET /user/profile?id=1234 → /user/profile?id=01234
GET /user/profile?id=1234 → /user/profile?id=1234.0

4. HTTP Method Testing

# Test different HTTP methods
curl -X POST "https://target.com/admin/users" -d "action=delete&id=123"
curl -X PUT "https://target.com/admin/users/123" -d "role=admin"
curl -X PATCH "https://target.com/admin/users/123" -d "role=admin"

5. Path Traversal Testing

# Directory traversal attempts
GET /download?file=../../../../etc/passwd
GET /download?file=....//....//....//etc/passwd
GET /download?file=%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd

Common Attack Vectors

1. URL Manipulation

• Direct access to admin URLs: /admin, /administrator, /manage

• Parameter tampering: user_id=1 → user_id=2

• Path traversal: ../../../sensitive_file

2. Cookie/Session Manipulation

• Role manipulation: role=user → role=admin

• Privilege escalation via session data

• JWT token manipulation

3. HTTP Header Manipulation

X-Forwarded-For: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Forwarded-Host: localhost
X-Original-URL: /admin
X-Rewrite-URL: /admin

4. API Endpoint Discovery

• Swagger/OpenAPI endpoints: /api/docs, /swagger-ui

• GraphQL introspection queries

• REST API fuzzing for undocumented endpoints

Tools and Techniques

Automated Tools

• Burp Suite Professional: Access control testing extensions

• OWASP ZAP: Access Control Testing add-on

• AuthMatrix: Burp extension for access control testing

• Autorize: Burp extension for authorization testing

Manual Testing Tools

# Directory and file enumeration
dirb https://target.com /usr/share/dirb/wordlists/common.txt
gobuster dir -u https://target.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

# API endpoint discovery
python3 -c "import requests; print([r.url for r in requests.get('https://target.com/api/docs').json()])"

Exploitation Examples

Example 1: IDOR in User Profiles

# Normal request
GET /api/users/me
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...

# IDOR attempt
GET /api/users/1
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...

Example 2: Function Level Access Control Bypass

# UI shows regular user interface, but admin functions accessible via API
POST /api/admin/users
Content-Type: application/json
Authorization: Bearer <regular_user_token>

{
  "username": "newadmin",
  "role": "administrator"
}

Example 3: File Access Control Bypass

# Normal file download
GET /download?file=user_document.pdf

# Path traversal attempt
GET /download?file=../../../etc/passwd
GET /download?file=..%2f..%2f..%2fetc%2fpasswd

Impact Assessment

Business Impact

• Data Breach: Unauthorized access to sensitive customer data

• Financial Loss: Unauthorized transactions or system manipulation

• Compliance Violations: GDPR, HIPAA, PCI-DSS violations

• Reputation Damage: Loss of customer trust

Technical Impact

• Complete system compromise

• Data exfiltration

• Privilege escalation

• Lateral movement within network

Prevention and Mitigation

1. Implement Proper Access Controls

• Deny by default principle

• Implement role-based access control (RBAC)

• Use attribute-based access control (ABAC) for complex scenarios

2. Server-Side Enforcement

# Example: Proper server-side access control
@app.route('/admin/users')
@require_role('administrator')
def manage_users():
    if not current_user.has_role('administrator'):
        return abort(403)
    return render_template('admin/users.html')

3. Input Validation and Sanitization

# Example: Safe parameter handling
def get_user_profile(user_id):
    # Validate user owns the profile or has admin rights
    if current_user.id != user_id and not current_user.is_admin():
        return abort(403)
    return User.query.get_or_404(user_id)

4. Security Headers

# Implement security headers
Content-Security-Policy: default-src 'self'
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains

Testing Checklist

Pre-Testing

• Identify all user roles and privilege levels

• Map application functionality per role

• Document authentication mechanisms

• Identify session management implementation

During Testing

• Test vertical privilege escalation

• Test horizontal privilege escalation

• Verify direct object reference controls

• Test function-level access controls

• Check for authentication bypass

• Test HTTP method tampering

• Verify file/directory access controls

• Test API endpoint access controls

Post-Testing

• Document all access control failures

• Assess business impact of findings

• Provide remediation recommendations

• Create proof-of-concept exploits

Reporting Template

Finding: Broken Access Control - [Specific Issue]

Severity: High/Critical CVSS Score: [Calculate based on impact]

Description: [Detailed description of the access control failure]

Steps to Reproduce:

1. [Step-by-step reproduction]

2. [Include request/response examples]

3. [Screenshots if applicable]

Impact: [Business and technical impact]

Recommendation: [Specific remediation steps]

References:

• OWASP Top 10 A01:2021

• CWE-22: Path Traversal

• CWE-639: Authorization Bypass

---

This reference guide is part of a comprehensive OWASP Top 10 penetration testing series. For more detailed exploitation techniques and advanced testing methodologies, refer to the complete blog series.