Documented standards for secure product development

A downloadable Security Handbook to document our best practices

Download white paper

5. Broken access control

Actions of authenticated users are enforced improperly.

What it is

Access control or authorization is how web apps let different users access various content, data, or functions. It’s kind of how Netflix limits people on their plan view HD content while users can watch 4K. When access control is broken, malicious users can access more than they should, thus impacting system security, confidentiality, processing resources, or billed functionality.

How it works

Bypassing access controls, viewing or editing someone else's account, privileging an account, manipulating metadata, abusing CORS, or accessing authenticated pages while unauthenticated is the most common attack vectors. Sometimes, gaining unauthorized access is as simple as manually entering an unlinked URL in a browser, such as https://example.com/admin.

Why it’s bad

Attackers can gain access to (and modify) data, accounts, and functions that they shouldn’t.

Countermeasures

  • Deny by default when it comes to the access controls of non-public resources.

  • Minimize CORS usage and configure it correctly.

  • Disable the webserver directory listing and ensure file metadata (e.g., .git) and backup files are not present within the web roots.

  • Rate limit APIs and web endpoint access to minimize the harm from automated attack tooling.

  • Invalidate JWT tokens after logout.

  • Include unit and integration tests for functional access cases.

Broken access control example

Jailbreaking or rooting of a particular phone model and iOS is achieved via broken access control exploits.

The illustration shown depicts a broken access control in the form of an unofficial app store which looks and feels much like an actual app store. The broken access control allows sideload apps, tricking the iOS not to adhere to access control rules.

Broken access control image

AltStore is an alternative app store for non-jailbroken devices. Unlike other unofficial app stores today, AltStore does not rely on enterprise certificates, which Apple has been cracking down on more and more recently. Instead, it relies on a lesser-known developer feature that allows you to use your Apple ID to install apps you’ve developed with Xcode, Apple’s development toolkit. It is intended for people who might otherwise be unable to purchase a $99/year developer account themselves. In fact, there’s no technical reason why it’s limited to apps installed from Xcode.

AltStore is a fully native, sandboxed iOS application that allows you to sideload apps by essentially tricking your phone into thinking it’s installing apps that you made yourself. In reality, it can be installing any app.

Continue to:6. Security misconfiguration