Table of Contents
January 29, 2024
|3m
Broken Access Control – The #1 Web Application Security Risk
Creating secure authorization is key to protecting your web apps
Broken Access Control allows attackers to bypass authorization and gain access to accounts and permissions they shouldn’t have. This category groups many common weaknesses that enable unauthorized access to sensitive data.
Why Broken Access Control tops the list?
Broken Access Control tops the OWASP Top 10 2021 list for good reason:
OWASP found over 300,000 occurrences, the highest among the Top 10 risks
It covers 34 Common Weakness Enumerations (CWEs)
Over 19,000 publicly disclosed vulnerabilities (CVEs) fall under this category
Average exploitability score of 7.0 and impact score of 5.9 out of 10
Implementing proper access control measures is therefore critical. Let’s look at some common examples under this expansive category.
| CWES Mapped | 34 |
| Max Incidence Rate | 55.97% |
| Avg Incidence Rate | 3.81% |
| Avg Weighted Exploit | 6.92 |
| Avg Weighted Impact | 5.93 |
| Max Coverage | 94.55% |
| Max Coverage | 47.72% |
| Total Occurrences | 318,487 |
| Total CVEs | 19,013 |
A01:2021 – Broken Access Control
Not implementing principle of least privilege
A prime culprit is not enforcing least privilege access. The default behavior should be to automatically deny all access, only allowing what is absolutely necessary. But failing to do so creates a massive attack surface.
A famous case is the large bank data breach where attackers realized they could access sensitive customer information by tweaking account numbers in the URL. Using scripts, they harvested data for 350,000 accounts. This weakness is categorized under CWE-639 Authorization Bypass Through User-Controlled Key.
CORS misconfigurations open sites to attacks
Another common issue is misconfiguring CORS (Cross-Origin Resource Sharing). Many apps need to access resources from other domains, and CORS enables this cross-domain access. But something as simple as a wildcard in allowed origins can let attackers spoof trusted domains.
The most dangerous CORS config allows access from [Trusted Null Origin], opening the site to anyone. Shockingly, a Shodan search reveals over 9500 sites with this vulnerability. This weakness comes under CWE-942 Permissive Cross-Domain Policy with Untrusted Domains.
CSRF – Forcing users to execute unwanted actions
Another major risk is CSRF or Cross-Site Request Forgery attacks. Here, attackers trick logged-in users into unknowingly running malicious requests using their credentials and sessions.
A common example is using hidden form fields to update a user’s email to the attacker’s, grabbing control of the account. Major sites like social media platforms, video streaming portals and banks have fallen victim to costly CSRF attacks. This weakness is marked under CWE-352 Cross-Site Request Forgery (CSRF).
We hope this post helped in learning about OWASP Top #1 application security risk Broken Access Control. Thanks for reading this post. Please share this post and help secure the digital world. Visit our website, thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive updates like this.
You may also like these articles:
Rajeshwari KA
Rajeshwari KA is a Software Architect who has worked on full-stack development, Software Design, and Architecture for small and large-scale mission-critical applications in her 18 + years of experience.
