OWASP Top 10 Part 5: Broken Access Control

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
12 hours 57 minutes
Difficulty
Intermediate
CEU/CPE
13
Video Transcription
00:00
>> OWASP Top 10 Number 5, Broken access control.
00:00
In this lesson, we're going to talk about the risks,
00:00
impact, and techniques to address broken access control.
00:00
What is broken access control?
00:00
Well, as we talked about before,
00:00
we talked a lot about identity and access management.
00:00
Well, one of those components,
00:00
especially when it comes to
00:00
the authorization of any individual identity,
00:00
is what access is that individual is authorized to
00:00
have within an application or any system for that matter.
00:00
When it comes to access control
00:00
an attacker is modifying a URL.
00:00
They basically are using
00:00
various methods to analyze the system,
00:00
its authentication and access management mechanisms,
00:00
and modifying it in some way.
00:00
Either, as I said, by changing the URL,
00:00
using a substitution key to impersonate another user,
00:00
or manipulating the metadata
00:00
surrounding the access to escalate their privilege.
00:00
Some APIs also may not have
00:00
access control built-in from the beginning.
00:00
One of the other things that's difficult about this is
00:00
that many of the security testing methods that we'll
00:00
discuss later find it difficult
00:00
to identify issues related to access control.
00:00
This is something that really is
00:00
best detected using manual testing,
00:00
but that can be onerous.
00:00
One of the best things to do is really
00:00
prevent modification of access control,
00:00
checking mechanisms, or metadata.
00:00
Now, doing that really means looking at
00:00
your code and identifying areas where
00:00
you want to provide alerts or isolate the process of
00:00
doing the access control check or the metadata elements.
00:00
Quiz question, Broken Access Control exploits
00:00
can be used to do all the following, except?
00:00
Number 1, denial of service, attack.
00:00
Two, escalation of privilege.
00:00
Three, impersonation.
00:00
Denial of service although
00:00
may be in the second phase of the attack,
00:00
when it comes to broken access control,
00:00
the attackers' main goal here is to manipulate
00:00
various access control elements
00:00
to escalate their privilege,
00:00
get a new level of access.
00:00
Then also we talked about the manipulation of
00:00
the primary key in order to impersonate another user.
00:00
In summary, we talked about
00:00
the broken access control vulnerability.
00:00
How it's often difficult to
00:00
detect using traditional software,
00:00
security testing methods,
00:00
and then also how it can be used to escalate privilege
00:00
as well as gain access and impersonate other users.
00:00
That the best way to address this is really
00:00
to prevent metadata or
00:00
other aspects of access control mechanism from
00:00
being manipulated by an external user.
00:00
I'll see you in the next lesson.
Up Next