OWASP Top 10 Part 5: Broken Access Control

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
12 hours 57 minutes
Difficulty
Intermediate
CEU/CPE
13
Video Transcription
00:00
O. S. Top 10. Number five broken access control
00:05
In this lesson, we're gonna talk about the risks, impact and techniques to address broken access control.
00:14
What is broken access control? Well, as we talked about before, we talked a lot about identity and access management. Well, one of those components, especially when it comes to the authorization of any individual identity is what accesses
00:27
that individual is authorized to have within an application or any system. For that matter
00:34
when it comes to access control,
00:38
an attacker is modifying A U. R. L. There. They basically are using various methods to analyze the system. It's authentication and access management mechanisms and modifying it in some way. Either as I said, by changing the U. R. L. Using a substitution key to impersonate another user or manipulating the metadata surrounding the access to escalate their privilege. Some A. P. I. Is also may not have access control built in from the beginning.
01:14
One of the other things that's difficult about this is that many of the security testing methods that will discuss later find it difficult to to
01:23
uh identifying issues related to access control. This is something that really is best detected using manual testing, but that can be onerous.
01:34
One of the best things to do is really prevent modification of access control checking mechanisms or metadata. Now doing that really means looking at your code and identifying areas where you want to provide alerts or isolate the process of doing the access control check
01:52
or the metadata elements.
01:56
Quiz question. Broken access control exploits can be used to do all the following except
02:00
Number one, denial of service attack
02:04
to escalation of privilege.
02:07
Three, impersonation,
02:10
denial of service, although maybe in the second phase of the attack when it comes to broken access control, the Attackers. Main goal here is to manipulate various access control elements to escalate their privilege, get a new level of access. And then also we talked about the manipulation
02:30
of the primary key in order to impersonate another user.
02:37
So in summary, we talked about the broken access about
02:40
the broken access control vulnerability, how it's often difficult to detect using traditional software, security testing methods and then also how it could be used to escalate privilege as well as gain, gain access and impersonate other users.
02:59
And that the best way to address this is really to prevent metadata or other aspects of the ACA control mechanism from being manipulated by an external user.
03:10
All right, I'll see you in the next lesson.
Up Next