Only the “right” people should have access
Today we are going to learn about number seven on the Open Web Application Security Project (OWASP) top ten list, missing function level access control. The web is a great tool. Originally designed to facilitate the free-flow of information, it has matured into so much more. You can shop, watch movies, play games, and conduct business.
However, the platform of the web is currently evolving into something much more powerful. With the advent of the “Internet of things” you will soon be able to do things. Businesses and governments have already begun to harness this power by using the web to control things like power plants, traffic patterns, water systems, and oil pipelines.
Soon everyday consumers will be able to afford systems that will set their thermostat, control their lights, monitor their home, check their fridge for recipe ingredients – and then order things that are running low. If you had that kind of technology you would want to make sure only the right people could use your apps. For example, would you give the shady guy at the coffee shop this kind of VIP access to your home? Or how about exposing your business’s admin panel to the whole world?
defining the problem
It is precisely these kinds of things that are referred to when security experts talk about missing function level access control. The functions are what your web app is capable of doing. The “access control” means making sure only the right people use your tools. And the “missing” means, well… you get the picture. A typical example of this vulnerability is when a user notices a URL parameter and manually changes it to access unintended information. For example, if after authenticating, I visited my secure diary at www.diary.example.com?user=josh and then manually changed the URL to be www.diary.example.com?user=yourName and was able to read your private diary, that would be missing function level access control.
Below is the OWASP cheat-sheet on missing function level access control:
detection & prevention
As with most security vulnerabilities, the hardest part about detecting and preventing it is being aware of its existence. When designing your apps, simply “deny by default.” That is to say, disallow access to all URLs (or functions) and then white-list them one at a time as appropriate. Access control lists (ACL) and role-based authentication mechanisms are very useful tools in protecting against this type of threat. The key is properly configuring them.
If you are working with an existing system, be sure to check all available URLs for this kind of vulnerability. As a general rule, users will be creative and test the limits of the system. Be sure not to just hide links a user doesn’t have permission to click, but use server-side mechanisms to prevent them from viewing those pages as well.
Making sure the right people have access to appropriate functions of your app is a growing concern. Hiding these functions is not enough. You must enforce your access restrictions from the server as well. Access control lists and role-based authentication mechanisms are effective strategies against this vulnerability, and already have implementations on nearly every platform. However, you must be vigilant to properly maintain their configurations to protect from abuse.
Credera has a security team that is well versed in the detection and prevention of security holes and application vulnerabilities. If you would like to discuss any of the materials you have read or have a particular need for testing or secure application development, please email us at SecurityTeam@credera.com.