Member-only story
Why broken access control is the most severe vulnerability
Introduction
Imagine that your friend Bob creates a website, and you and Alice create an account on the website out of love and care for your friend. The website implements role-based features, meaning that Bob is the admin and can add, delete, modify products, and delete users who act maliciously. On the other hand, you and Alice have a user role and can only view the products and add them to your cart for further checkout.
But tinkering around with the web application, you realize that you can view Alice’s cart.
Because I can view Alice’s cart despite the fact that I do not have access, this is referred to as the Broken Access Control.
Before we move on to the vulnerability, let’s discuss what access controls are and why they are used.
Access control, also called Authorization, applies restraints or constraints on who can perform what action. These can be role-based or resource-based. For example, in the case of our hypothetical website, neither Alice nor you should be able to delete each other’s accounts or view each other’s carts.
But since you could view Alice’s cart, this is an instance of Broken Access Control.
Why does Broken Access Control Occur?
Broken Access control can occur due to various reasons. Some of them are:
- When the application is misconfigured.
Instead of designing an application from the ground up, developers nowadays rely on frameworks to assist them in decreasing their workload and making their jobs more efficient. However, it is frequently the case that the developer does not fully comprehend the dynamics of the framework and hence misconfigures it throughout the deployment process. Whether a framework is being used or making mistakes while configuring a website is quite easy if you aren’t clear about the user roles. If the user roles are not defined appropriately or if they have excessive permission, this will occur regardless of what is displayed on the user interface. It…
