In these series, I will try to explain each one of the security risks in the OWASP Top 10 (2021) list in the simplest way possible. Hopefully this can help myself and other’s to recall these concepts quickly.
Broken Access Control means exactly what it says. Access control that is not working properly. It means that a user has access to resources that they are not supposed to. A common example would be a user viewing or modifying another user’s account. I encountered this during API pentest by using the credentials of a non-admin I was able to send a DELETE command to remove another users account.
It varies case by case, but the best way to prevent this is by making sure the correct permissions are in place. The best way to make sure of this is by testing.
Example: Unprotected Admin Functionality Lab from Portswigger
Step 1 – Using my favorite forced-browsing tool Feroxbuster, I scanned the lab page and found the unprotected admin panel: https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/administrator-panel
Note: The robots.txt also reveals the location of the admin page.
┌──(kali㉿GODHAND)-[~]
└─$ feroxbuster -u https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/ -b session=qvFd5V2w0yMhiDAVzcjzOSkgmphjS1GL --random-agent -w wordlist.txt
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.10.0
───────────────────────────┬──────────────────────
🎯 Target Url │ https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/
🚀 Threads │ 50
📖 Wordlist │ wordlist.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ Random
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🤯 Header │ Cookie: session=qvFd5V2w0yMhiDAVzcjzOSkgmphjS1GL
🔎 Extract Links │ true
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 4
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
200 GET 65l 132w 3034c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/administrator-panel
404 GET 1l 2w 11c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200 GET 2l 4w 45c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/robots.txt
200 GET 29l 60w 830c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/resources/labheader/js/labHeader.js
200 GET 1l 36w 7124c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/resources/images/shop.svg
200 GET 3l 18w 812c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/resources/images/rating5.png
200 GET 4l 27w 1041c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/resources/images/rating3.png
302 GET 0l 0w 0c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/my-account => https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/login
400 GET 1l 3w 30c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/administrator-panel/delete
200 GET 177l 498w 5401c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/resources/labheader/css/academyLabHeader.css
200 GET 5l 21w 1062c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/resources/images/rating2.png
200 GET 1235l 2813w 25811c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/resources/css/labs.css
200 GET 1270l 2900w 26543c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/resources/css/labsEcommerce.css
200 GET 103l 549w 95600c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/image/productcatalog/products/60.jpg
200 GET 290l 1803w 202320c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/image/productcatalog/products/37.jpg
200 GET 349l 1881w 245491c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/image/productcatalog/products/18.jpg
200 GET 409l 2295w 243825c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/image/productcatalog/products/74.jpg
200 GET 324l 2044w 284292c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/image/productcatalog/products/36.jpg
200 GET 613l 3571w 361471c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/image/productcatalog/products/33.jpg
200 GET 417l 2607w 279603c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/image/productcatalog/products/45.jpg
200 GET 1039l 5691w 499122c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/image/productcatalog/products/38.jpg
200 GET 3l 20w 1043c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/resources/images/rating4.png
400 GET 1l 3w 30c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/product
200 GET 3l 15w 979c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/resources/images/rating1.png
200 GET 235l 1397w 177148c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/image/productcatalog/products/32.jpg
200 GET 480l 2845w 322767c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/image/productcatalog/products/62.jpg
200 GET 309l 1858w 233538c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/image/productcatalog/products/28.jpg
200 GET 264l 1875w 218953c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/image/productcatalog/products/6.jpg
200 GET 455l 2787w 300027c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/image/productcatalog/products/58.jpg
200 GET 558l 3425w 343710c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/image/productcatalog/products/13.jpg
200 GET 497l 3031w 340269c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/image/productcatalog/products/5.jpg
200 GET 645l 3930w 387227c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/image/productcatalog/products/72.jpg
200 GET 523l 3237w 334452c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/image/productcatalog/products/59.jpg
200 GET 755l 4353w 420708c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/image/productcatalog/products/4.jpg
200 GET 695l 4292w 416184c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/image/productcatalog/products/3.jpg
200 GET 1779l 8924w 813667c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/image/productcatalog/products/30.jpg
200 GET 197l 401w 10553c https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/
[####################] - 5s 49/49 0s found:23 errors:0
[####################] - 4s 5/5 1/s https://0ae2003b035ed2ed8125bbad003a00e0.web-security-academy.net/
Step 2 – I visited the admin panel and was able to delete the user called Carlos to solve the lab. This is an extreme example of broken access controls BTW.