Broken Access Control

1. Definition

Broken Access Control allows attackers to bypass authorization and perform tasks as though they were privileged users (Admin) or different users.

It is currently the #1 Vulnerability in the OWASP Top 10 (2021). It covers:

• Vertical Privilege Escalation: User becomes Admin.
• Horizontal Privilege Escalation: User A accesses User B’s data (IDOR).
• Bypassing Controls: Accessing API endpoints directly without UI checks.

2. Technical Explanation

Access Control Design decisions must be enforced in code. Vulnerabilities arise when:

1. “Security through Obscurity”: Hiding the “Admin” button in the UI but leaving the API endpoint /api/admin/deleteUser accessible to anyone.
2. Missing Global Policy: Developers manually add checks in some controllers but forget others.
3. Client-Side Trust: Relying on the browser (e.g., <input type="hidden" name="role" value="user">) to tell the server what the user’s role is.

3. Attack Flow (Vertical Escalation)

sequenceDiagram
    participant Attacker
    participant API
    participant DB

    Attacker->>API: POST /login (Role: User)
    API-->>Attacker: 200 OK (Token: role=user)

    Note over Attacker: Attacker guesses Admin URL

    Attacker->>API: DELETE /users/555
    Note right of API: Code checks if user is logged in.<br/>BUT forgets to check if Role == Admin.
    
    API->>DB: Delete User 555
    DB-->>API: Success
    API-->>Attacker: 200 OK (User Deleted)

4. Real-World Case Study: Facebook “View As” (2018)

Target: Facebook. Vulnerability Class: Complex Access Control Logic Failure. Impact: 50 million accounts compromised.

The Logic Bug: Facebook had a “View As” feature to let users see how their profile looked to others. It interacted with a “Video Uploader” feature.

1. When User A used “View As” to view User B, the Video Uploader incorrectly generated an Access Token for User B (the person being viewed) instead of User A (the viewer).
2. The access control logic failed to context-switch properly during this specific feature interaction.
3. Attackers used this token to take over User B’s account completely.

Lesson: Complex state interactions often hide access control bugs that unit tests miss.

5. Detailed Defense Strategies

A. Deny by Default (Centralized Policy)

Do not rely on developers remembering to add isAdmin() checks.

• Architecture: Use a centralized middleware or API Gateway that denies all access unless a specific role is present.

  // Safe Pattern (Node.js)
  router.use('/admin', requireRole('ADMIN')); // Applies to ALL /admin routes

B. Model-Based Access Control

Enforce permissions at the Data Model layer, not just the Controller.

• Even if a Controller forgets the check, the Database Access Layer (DAL) should refuse to delete a record if the currentUser context lacks permission.

C. Do Not Trust Client State

Never accept role, isAdmin, or pricing parameters from the client body or cookies that are not cryptographically signed. Always look up the user’s rights from the session/database on the server.

D. Integration Testing

Write specific test cases for Negative Authorization:

• “Ensure User cannot access Admin route” (Should return 403).
• “Ensure User A cannot edit User B”.

6. References

• OWASP Top 10:2021 A01 Broken Access Control
• Facebook Security Update on “View As” Vulnerability
• OWASP Access Control Cheat Sheet