Broken Access Control – The #1 Web Application Security Risk

Creating secure authorization is key to protecting your web apps

Broken Access Control allows attackers to bypass authorization and gain access to accounts and permissions they shouldn’t have. This category groups many common weaknesses that enable unauthorized access to sensitive data.

Why Broken Access Control tops the list?

Broken Access Control tops the OWASP Top 10 2021 list for good reason:

  • OWASP found over 300,000 occurrences, the highest among the Top 10 risks

  • It covers 34 Common Weakness Enumerations (CWEs)

  • Over 19,000 publicly disclosed vulnerabilities (CVEs) fall under this category

  • Average exploitability score of 7.0 and impact score of 5.9 out of 10

Implementing proper access control measures is therefore critical. Let’s look at some common examples under this expansive category.

CWES Mapped 34
Max Incidence Rate 55.97%
Avg Incidence Rate 3.81%
Avg Weighted Exploit 6.92
Avg Weighted Impact 5.93
Max Coverage 94.55%
Max Coverage 47.72%
Total Occurrences 318,487
Total CVEs 19,013

A01:2021 – Broken Access Control

Not implementing principle of least privilege

A prime culprit is not enforcing least privilege access. The default behavior should be to automatically deny all access, only allowing what is absolutely necessary. But failing to do so creates a massive attack surface.

A famous case is the large bank data breach where attackers realized they could access sensitive customer information by tweaking account numbers in the URL. Using scripts, they harvested data for 350,000 accounts. This weakness is categorized under CWE-639 Authorization Bypass Through User-Controlled Key.

CORS misconfigurations open sites to attacks

Another common issue is misconfiguring CORS (Cross-Origin Resource Sharing). Many apps need to access resources from other domains, and CORS enables this cross-domain access. But something as simple as a wildcard in allowed origins can let attackers spoof trusted domains.

The most dangerous CORS config allows access from [Trusted Null Origin], opening the site to anyone. Shockingly, a Shodan search reveals over 9500 sites with this vulnerability. This weakness comes under CWE-942 Permissive Cross-Domain Policy with Untrusted Domains.

See also  Step-By-Step Procedure To Install Linux Mint Linux On VMWare Workstation

CSRF – Forcing users to execute unwanted actions

Another major risk is CSRF or Cross-Site Request Forgery attacks. Here, attackers trick logged-in users into unknowingly running malicious requests using their credentials and sessions.

A common example is using hidden form fields to update a user’s email to the attacker’s, grabbing control of the account. Major sites like social media platforms, video streaming portals and banks have fallen victim to costly CSRF attacks. This weakness is marked under CWE-352 Cross-Site Request Forgery (CSRF).

Leave a Reply

Your email address will not be published. Required fields are marked *