BAC - Broken Access Control
Broken Access Control (BAC) is a common security vulnerability that can occur in web applications. It happens when a system does not properly enforce restrictions on what users can access or perform. This can result in an attacker being able to access sensitive data, perform unauthorized actions, or escalate their privileges within the system. In this blog post, we'll explore what Broken Access Control is and how it relates to Insecure Direct Object Reference (IDOR).
What is Broken Access Control?
Broken Access Control is a vulnerability that occurs when a web application allows a user to access resources or perform actions that they should not be able to. This can happen for a variety of reasons, such as:
Lack of authentication: The application doesn't properly require users to log in or identify themselves before accessing certain resources or performing actions.
Insufficient authorization checks: Even if users are authenticated, the application does not properly verify that they have the appropriate permissions to access or perform certain actions.
Insecure direct object references: The application exposes internal IDs or other sensitive data in URLs or other user inputs, allowing attackers to modify or access data they should not be able to.
What is Insecure Direct Object Reference (IDOR)?
Insecure Direct Object Reference (IDOR) is a type of Broken Access Control vulnerability that occurs when a web application exposes a reference to an internal object or resource, such as a database record or file, in a way that allows an attacker to modify or access that object or resource directly. This can happen when an application uses internal IDs or other sensitive information in URLs, cookies, or other user inputs.
For example, imagine a web application that allows users to view their own order history by accessing a URL like https://example.com/orders/1234, where "1234" is the ID of the user's order. If an attacker can modify the URL to https://example.com/orders/5678, where "5678" is the ID of another user's order, they can view or modify that user's order data without proper authorization checks.
How are Broken Access Control and IDOR related?
Insecure Direct Object Reference (IDOR) is a specific type of Broken Access Control vulnerability. It occurs when an application exposes sensitive information in a way that allows attackers to access or modify that information directly, without proper authorization checks.
Other types of Broken Access Control vulnerabilities can also allow attackers to access or modify sensitive information. For example, a web application that does not properly authenticate users before allowing them to view or modify data could be vulnerable to a variety of attacks, including IDOR.
In conclusion, Broken Access Control and Insecure Direct Object Reference are both serious security vulnerabilities that can allow attackers to access or modify sensitive data in a web application. To prevent these vulnerabilities, developers should implement proper authentication and authorization checks, avoid exposing sensitive information in URLs or other user inputs, and regularly test their applications for security vulnerabilities.