Broken Access Control

The security risk Broken Access Control describes the incorrect or missing restrictions of specific groups of users to access certain resources.

A01:2021

Background

Context

Often used types of access control systems are:

• Attribute Based Access Control
• Role Based Access Control
• Decentralized Approaches
  • OpenID connect
  • OAuth

Problems

• If incorrectly defined, users can access resources that they are not be allowed to
• Depending on the system admin functionalities can be exploited or premium functions can be used for free

Solutions

• Use third party tools like Keycloak/
• Implement access control carefully
  • Zero Trust (opens new window)
• No one-fits-all solution exists

Technology

Different libraries exist, which help developers to define roles or attributes, add certain rights to these groups and methods to verify if a user has to required rights to view a ressource.

DANGER

The developers themselves have to firstly define which resources need to be restricted and who can access them. Since this is a rather individual task no generic solution to create a secure access control system exists.