by: lastdojoPosted on:

OWASP Top 10 Series – Broken Access Control

In these series, I will try to explain each one of the security risks in the OWASP Top 10 (2021) list in the simplest way possible. Hopefully this can help myself and other’s to recall these concepts quickly.

Broken Access Control means exactly what it says. Access control that is not working properly. It means that a user has access to resources that they are not supposed to. A common example would be a user viewing or modifying another user’s account. I encountered this during API pentest by using the credentials of a non-admin I was able to send a DELETE command to remove another users account.

It varies case by case, but the best way to prevent this is by making sure the correct permissions are in place. The best way to make sure of this is by testing.

Example: Unprotected Admin Functionality Lab from Portswigger

Step 1 – Using my favorite forced-browsing tool Feroxbuster, I scanned the lab page and found the unprotected admin panel: https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/administrator-panel

Note: The robots.txt also reveals the location of the admin page.

┌──(kali㉿GODHAND)-[~]
└─$ feroxbuster -u https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/ -b session=qvFd5V2w0yMhiDAVzcjzOSkgmphjS1GL --random-agent -w wordlist.txt

 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.10.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/
 🚀  Threads               │ 50
 📖  Wordlist              │ wordlist.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ Random
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🤯  Header                │ Cookie: session=qvFd5V2w0yMhiDAVzcjzOSkgmphjS1GL
 🔎  Extract Links         │ true
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
200      GET       65l      132w     3034c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/administrator-panel
404      GET        1l        2w       11c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200      GET        2l        4w       45c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/robots.txt
200      GET       29l       60w      830c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/resources/labheader/js/labHeader.js
200      GET        1l       36w     7124c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/resources/images/shop.svg
200      GET        3l       18w      812c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/resources/images/rating5.png
200      GET        4l       27w     1041c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/resources/images/rating3.png
302      GET        0l        0w        0c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/my-account => https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/login
400      GET        1l        3w       30c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/administrator-panel/delete
200      GET      177l      498w     5401c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/resources/labheader/css/academyLabHeader.css
200      GET        5l       21w     1062c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/resources/images/rating2.png
200      GET     1235l     2813w    25811c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/resources/css/labs.css
200      GET     1270l     2900w    26543c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/resources/css/labsEcommerce.css
200      GET      103l      549w    95600c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/image/productcatalog/products/60.jpg
200      GET      290l     1803w   202320c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/image/productcatalog/products/37.jpg
200      GET      349l     1881w   245491c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/image/productcatalog/products/18.jpg
200      GET      409l     2295w   243825c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/image/productcatalog/products/74.jpg
200      GET      324l     2044w   284292c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/image/productcatalog/products/36.jpg
200      GET      613l     3571w   361471c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/image/productcatalog/products/33.jpg
200      GET      417l     2607w   279603c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/image/productcatalog/products/45.jpg
200      GET     1039l     5691w   499122c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/image/productcatalog/products/38.jpg
200      GET        3l       20w     1043c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/resources/images/rating4.png
400      GET        1l        3w       30c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/product
200      GET        3l       15w      979c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/resources/images/rating1.png
200      GET      235l     1397w   177148c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/image/productcatalog/products/32.jpg
200      GET      480l     2845w   322767c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/image/productcatalog/products/62.jpg
200      GET      309l     1858w   233538c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/image/productcatalog/products/28.jpg
200      GET      264l     1875w   218953c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/image/productcatalog/products/6.jpg
200      GET      455l     2787w   300027c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/image/productcatalog/products/58.jpg
200      GET      558l     3425w   343710c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/image/productcatalog/products/13.jpg
200      GET      497l     3031w   340269c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/image/productcatalog/products/5.jpg
200      GET      645l     3930w   387227c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/image/productcatalog/products/72.jpg
200      GET      523l     3237w   334452c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/image/productcatalog/products/59.jpg
200      GET      755l     4353w   420708c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/image/productcatalog/products/4.jpg
200      GET      695l     4292w   416184c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/image/productcatalog/products/3.jpg
200      GET     1779l     8924w   813667c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/image/productcatalog/products/30.jpg
200      GET      197l      401w    10553c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/
[####################] - 5s        49/49      0s      found:23      errors:0
[####################] - 4s         5/5       1/s     https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/

Step 2 – I visited the admin panel and was able to delete the user called Carlos to solve the lab. This is an extreme example of broken access controls BTW.