Broken Access Control
Learn about broken access control, direct object access, deter URL probing, authorizing access to objects, directory traversal attacks, and securing files from attacks.
Direct object access
Broken access control refers to application problems that allow attackers to access data they shouldn’t. This can include other users’ data or system-level data like password files.
One of the common forms of broken access control is direct object access. This happens when a URL includes something like a database ID as a query parameter. An attacker sees the ID in the query parameter and starts probing for other numbers.
Since database IDs are assigned sequentially, it’s easy for an attacker to scan for other interesting data. For example, suppose a warehouse management system uses the customer’s ID to display a report of shipments. An attacker can start trying other customer IDs to see what goods are en route. The solution has two parts: reducing the value of URL probing and checking authorization to objects in the first place.
Deter URL probing
We can make it harder to find interesting values. First, don’t use database IDs in URLs. We can generate unique but non-sequential identifiers to use in URLs. In that case, an attacker can probe the ID space but will have low odds of finding interesting results. Another approach is to use a generic URL that is ...