H M < >
CMU540

WEB-ACCESS-01 - Broken Access Control

Session 2

James Williams

jwilliams@staff.newman.ac.uk

Session Overview

🎯 Career Focus

Access control specialists earn £45,000-£80,000+ in roles like:

  • Security Architect
  • Identity & Access Management (IAM) Specialist
  • Penetration Tester
  • Security Consultant

Learning Objectives

  • Understand access control mechanisms and their importance
  • Identify common access control vulnerabilities
  • Practice exploiting broken access control using OS³ Studio
  • Learn secure access control implementation patterns
  • Explore career opportunities in access control security
Key Question: How do we ensure users can only access what they're authorized to see?

What is Access Control?

Access Control determines who can access what resources and under what conditions.

Core Principles:

  • Authentication: "Who are you?" - Verifying identity
  • Authorization: "What can you do?" - Determining permissions
  • Accountability: "What did you do?" - Tracking actions

🔗 Real-World Example

Think of a bank vault - you need:

  • Valid ID (Authentication)
  • Proper authorization level (Authorization)
  • Access logs (Accountability)

Types of Access Control

1. Discretionary Access Control (DAC)

  • Resource owners control access
  • Common in file systems
  • Flexible but can be insecure

2. Mandatory Access Control (MAC)

  • System-enforced policies
  • Used in military/government
  • Highly secure but inflexible

3. Role-Based Access Control (RBAC)

  • Access based on user roles
  • Most common in web applications
  • Balances security and usability

Common Access Control Vulnerabilities

🚨 Vertical Privilege Escalation

Regular users gaining admin privileges

GET /admin/users → Should require admin role

🚨 Horizontal Privilege Escalation

Users accessing other users' data

GET /users/123/profile → User 456 accessing User 123's data

Missing Function Level Access Control

🚨 Direct Object References

No authorization check for object access

GET /api/documents/456 → No check if user owns document 456

Common Scenarios:

  • Direct database queries without authorization
  • File system access without permission checks
  • API endpoints without role verification
  • Administrative functions accessible to regular users

OS³ Studio Lab Environment

🔬 Lab Setup

We'll use the OS³ Newman Cyber Security Lab to practice access control exploitation:

  1. Access the vulnerable web application
  2. Identify broken access control mechanisms
  3. Exploit vulnerabilities systematically
  4. Document findings and impact
Lab Environment: Isolated, safe environment for learning offensive security techniques

Common Attack Vectors

1. URL Manipulation

  • Changing user IDs in URLs
  • Accessing admin panels directly
  • Bypassing authentication checks

2. Parameter Tampering

  • Modifying form parameters
  • Changing role values
  • Manipulating session data

3. Directory Traversal

  • Accessing restricted directories
  • Bypassing path restrictions
  • Reading sensitive files

Real-World Impact

🚨 Case Study: Facebook Data Breach (2018)

  • Impact: 50 million users affected
  • Cause: Access token vulnerability
  • Result: $5 billion fine from FTC

💼 Industry Impact

Broken access control is the #1 OWASP vulnerability because:

  • It's easy to exploit
  • It has high impact
  • It's often overlooked in development

Detection Methods

Manual Testing:

  • Role-based testing with different user accounts
  • URL manipulation and parameter tampering
  • Session management analysis

Automated Testing:

  • Burp Suite Professional
  • OWASP ZAP
  • Custom scripts for authorization testing

🔗 Tools and Resources

PortSwigger Access Control Guide

OWASP IDOR Attack Guide

Prevention Strategies

1. Implement Proper Authorization

  • Check permissions on every request
  • Use role-based access control (RBAC)
  • Implement principle of least privilege

2. Secure Session Management

  • Use secure session tokens
  • Implement proper session timeout
  • Validate session state on every request

3. Regular Security Testing

  • Conduct regular penetration tests
  • Implement automated security scanning
  • Review access control policies regularly

Industry Standards and Frameworks

Security Frameworks:

  • NIST Cybersecurity Framework
  • ISO 27001
  • OWASP ASVS (Application Security Verification Standard)

Compliance Requirements:

  • GDPR: Data protection and access control
  • PCI DSS: Payment card industry standards
  • HIPAA: Healthcare data protection

💼 Career Opportunities

Compliance specialists earn £40,000-£70,000+ in roles like:

  • Compliance Officer
  • Risk Assessment Specialist
  • Security Auditor

Career Paths in Access Control

🎯 Entry-Level Roles (£25,000-£40,000)

  • Junior Security Analyst
  • IT Security Support
  • Security Operations Center (SOC) Analyst

🎯 Mid-Level Roles (£40,000-£70,000)

  • Security Consultant
  • Penetration Tester
  • Identity & Access Management Specialist

🎯 Senior Roles (£70,000-£120,000+)

  • Security Architect
  • Chief Information Security Officer (CISO)
  • Security Engineering Manager

Tools and Technologies

Identity and Access Management (IAM):

  • Auth0: Identity-as-a-Service platform
  • Okta: Enterprise identity management
  • Microsoft Azure AD: Cloud identity services
  • Keycloak: Open-source identity management

Testing Tools:

  • Burp Suite: Web application security testing
  • OWASP ZAP: Free security testing tool
  • Postman: API testing and development

🔗 Hands-On Learning

Auth0 Quick Start Guide

Keycloak Getting Started

Security Best Practices

Development Phase:

  • Implement security by design
  • Use secure coding practices
  • Conduct regular code reviews
  • Test authorization thoroughly

Deployment Phase:

  • Use secure configuration
  • Implement monitoring and logging
  • Regular security updates
  • Incident response planning
Remember: Security is not a one-time implementation - it's an ongoing process!

Common Mistakes to Avoid

🚨 Security Anti-Patterns

  • Client-side authorization only - Easy to bypass
  • Hidden form fields - Can be manipulated
  • URL-based permissions - Not secure
  • Weak session management - Vulnerable to hijacking

Red Flags:

  • Authorization checks only in JavaScript
  • Admin functions accessible via direct URLs
  • No session timeout implementation
  • Predictable session tokens

Legal and Ethical Considerations

⚠️ Important Legal Notice

Only test systems you own or have explicit permission to test!

Ethical Guidelines:

  • Always get proper authorization
  • Follow responsible disclosure
  • Respect privacy and data protection
  • Report vulnerabilities responsibly

💼 Professional Ethics

Ethical hackers and security professionals follow:

  • Certified Ethical Hacker (CEH) guidelines
  • OWASP ethical guidelines
  • Company security policies

Task 1: Vulnerability Discovery

Instructions:

  1. Access the OS³ Studio vulnerable application
  2. Create test accounts with different roles (user, admin)
  3. Identify broken access control vulnerabilities
  4. Test vertical privilege escalation (user → admin)
  5. Test horizontal privilege escalation (user A → user B)
  6. Document all findings with screenshots
  7. Note the impact and potential damage
  8. Prepare a brief report of your findings

Time: 45 minutes

Focus on systematic testing and thorough documentation

Break Time

15 Minutes

Take a break, ask questions, or catch up on the previous task.

Next: Secure implementation and Task 2

Secure Implementation Patterns

1. Server-Side Authorization

<!-- Always check permissions on the server -->
if (user.hasRole('admin') && user.canAccess(resource)) {
  return resource;
} else {
  throw new UnauthorizedException();
}

2. Role-Based Access Control

  • Define clear roles and permissions
  • Implement role hierarchy
  • Use principle of least privilege

Secure Session Management

Best Practices:

  • Secure Session Tokens: Use cryptographically secure random tokens
  • Session Timeout: Implement automatic logout
  • Session Validation: Check session state on every request
  • Secure Storage: Store sessions securely on server
<!-- Secure session implementation -->
const session = {
  id: crypto.randomBytes(32).toString('hex'),
  userId: user.id,
  role: user.role,
  expiresAt: Date.now() + SESSION_TIMEOUT,
  lastActivity: Date.now()
};

Input Validation and Sanitization

Critical Security Measures:

  • Validate all inputs: Check data types, ranges, and formats
  • Sanitize user data: Remove or escape dangerous characters
  • Use parameterized queries: Prevent SQL injection
  • Implement CSRF protection: Prevent cross-site request forgery
<!-- Input validation example -->
function validateUserId(userId) {
  if (!userId || !Number.isInteger(userId) || userId <= 0) {
    throw new ValidationError('Invalid user ID');
  }
  return userId;
}

Monitoring and Logging

Security Monitoring:

  • Access Logs: Track all access attempts
  • Failed Authentication: Monitor login failures
  • Privilege Escalation: Alert on suspicious activity
  • Anomaly Detection: Identify unusual patterns
<!-- Security logging example -->
logger.warn('Unauthorized access attempt', {
  userId: user.id,
  resource: requestedResource,
  ip: request.ip,
  userAgent: request.headers['user-agent'],
  timestamp: new Date()
});

Task 2: Secure Implementation

Instructions:

  1. Return to the OS³ Studio application
  2. Implement secure access control mechanisms
  3. Fix the vulnerabilities discovered in Task 1
  4. Add proper server-side authorization checks
  5. Implement secure session management
  6. Add input validation and sanitization
  7. Test your secure implementation
  8. Document the security improvements made

Time: 45 minutes

Focus on implementing robust security controls

Testing Secure Implementation

Security Testing Checklist:

  • ✓ Test all user roles and permissions
  • ✓ Verify session timeout works correctly
  • ✓ Test input validation with malicious data
  • ✓ Check error handling doesn't leak information
  • ✓ Verify logging captures security events
Remember: Security testing should be continuous, not just a one-time activity!

Industry Tools and Resources

Professional Tools:

  • Burp Suite Professional: Advanced web security testing
  • OWASP ZAP: Free, open-source security scanner
  • Nessus: Vulnerability assessment tool
  • Metasploit: Penetration testing framework

🔗 Learning Resources

PortSwigger Access Control Guide

OWASP Top 10

Free Cyber Security Courses

Career Development in Access Control

Certifications to Consider:

  • CEH (Certified Ethical Hacker): Ethical hacking certification
  • CISSP (Certified Information Systems Security Professional): Advanced security certification
  • CISM (Certified Information Security Manager): Security management
  • CompTIA Security+: Entry-level security certification

💼 Professional Development

Build your career through:

  • Continuous learning and certification
  • Hands-on experience with security tools
  • Contributing to open-source security projects
  • Networking with security professionals

Summary and Key Takeaways

What We've Learned:

  • Access control is fundamental to application security
  • Broken access control is the #1 OWASP vulnerability
  • Proper implementation requires server-side validation
  • Security testing should be continuous and systematic
  • Strong career opportunities exist in access control security
Key Principle: Never trust the client - always validate on the server!

Next Steps

🔗 Continue Learning

Complete OWASP Top 10

Free Cyber Security Courses

Questions?

Feel free to ask questions about access control, career paths, or anything else!