Skip to main content
Redhat Developers  Logo
  • Products

    Featured

    • Red Hat Enterprise Linux
      Red Hat Enterprise Linux Icon
    • Red Hat OpenShift AI
      Red Hat OpenShift AI
    • Red Hat Enterprise Linux AI
      Linux icon inside of a brain
    • Image mode for Red Hat Enterprise Linux
      RHEL image mode
    • Red Hat OpenShift
      Openshift icon
    • Red Hat Ansible Automation Platform
      Ansible icon
    • Red Hat Developer Hub
      Developer Hub
    • View All Red Hat Products
    • Linux

      • Red Hat Enterprise Linux
      • Image mode for Red Hat Enterprise Linux
      • Red Hat Universal Base Images (UBI)
    • Java runtimes & frameworks

      • JBoss Enterprise Application Platform
      • Red Hat build of OpenJDK
    • Kubernetes

      • Red Hat OpenShift
      • Microsoft Azure Red Hat OpenShift
      • Red Hat OpenShift Virtualization
      • Red Hat OpenShift Lightspeed
    • Integration & App Connectivity

      • Red Hat Build of Apache Camel
      • Red Hat Service Interconnect
      • Red Hat Connectivity Link
    • AI/ML

      • Red Hat OpenShift AI
      • Red Hat Enterprise Linux AI
    • Automation

      • Red Hat Ansible Automation Platform
      • Red Hat Ansible Lightspeed
    • Developer tools

      • Red Hat Trusted Software Supply Chain
      • Podman Desktop
      • Red Hat OpenShift Dev Spaces
    • Developer Sandbox

      Developer Sandbox
      Try Red Hat products and technologies without setup or configuration fees for 30 days with this shared Openshift and Kubernetes cluster.
    • Try at no cost
  • Technologies

    Featured

    • AI/ML
      AI/ML Icon
    • Linux
      Linux Icon
    • Kubernetes
      Cloud icon
    • Automation
      Automation Icon showing arrows moving in a circle around a gear
    • View All Technologies
    • Programming Languages & Frameworks

      • Java
      • Python
      • JavaScript
    • System Design & Architecture

      • Red Hat architecture and design patterns
      • Microservices
      • Event-Driven Architecture
      • Databases
    • Developer Productivity

      • Developer productivity
      • Developer Tools
      • GitOps
    • Secure Development & Architectures

      • Security
      • Secure coding
    • Platform Engineering

      • DevOps
      • DevSecOps
      • Ansible automation for applications and services
    • Automated Data Processing

      • AI/ML
      • Data Science
      • Apache Kafka on Kubernetes
      • View All Technologies
    • Start exploring in the Developer Sandbox for free

      sandbox graphic
      Try Red Hat's products and technologies without setup or configuration.
    • Try at no cost
  • Learn

    Featured

    • Kubernetes & Cloud Native
      Openshift icon
    • Linux
      Rhel icon
    • Automation
      Ansible cloud icon
    • Java
      Java icon
    • AI/ML
      AI/ML Icon
    • View All Learning Resources

    E-Books

    • GitOps Cookbook
    • Podman in Action
    • Kubernetes Operators
    • The Path to GitOps
    • View All E-books

    Cheat Sheets

    • Linux Commands
    • Bash Commands
    • Git
    • systemd Commands
    • View All Cheat Sheets

    Documentation

    • API Catalog
    • Product Documentation
    • Legacy Documentation
    • Red Hat Learning

      Learning image
      Boost your technical skills to expert-level with the help of interactive lessons offered by various Red Hat Learning programs.
    • Explore Red Hat Learning
  • Developer Sandbox

    Developer Sandbox

    • Access Red Hat’s products and technologies without setup or configuration, and start developing quicker than ever before with our new, no-cost sandbox environments.
    • Explore Developer Sandbox

    Featured Developer Sandbox activities

    • Get started with your Developer Sandbox
    • OpenShift virtualization and application modernization using the Developer Sandbox
    • Explore all Developer Sandbox activities

    Ready to start developing apps?

    • Try at no cost
  • Blog
  • Events
  • Videos

How to prevent broken access control

December 8, 2022
Sandipan Roy
Related topics:
SecuritySecure Coding
Related products:
Red Hat Enterprise Linux

Share:

    There are many sophisticated forms of access control nowadays. Yet breaches are still common. Why does access control fail? This article answers that question by describing some of the flaws that lead to broken access control (also known as broken authorization or privilege escalation) and demonstrates secure coding.

    What is access control?

    Data protection is crucial, particularly in the field of information security. Personal information, financial records, and other sensitive data should not be accessible to everyone. Access control is a critical element of data security that designates who is permitted to view or change resources and information in a computing environment. Depending on users’ specified roles and associated rights, they are either granted or refused access to different resources and functions by appropriately planned and executed authorization frameworks.

    If access control is inadequate or flawed, a hostile actor could gain access to restricted material, edit or remove content, and carry out unauthorized tasks, even potentially take over the whole site. The only thing limiting the attack's harm is the rights given to a compromised user account.

    3 Methods of access control

    There are three general methods for implementing logical access control in a software system: 

    1. Discretionary access control (DAC)

    In discretionary access control, access to particular resources is controlled by the data's owner. Users have complete control over all their objects and attributes when using this sort of access control. Access to objects can be restricted based on who is attempting to get access to them. Most operating systems implement this type of access control using attributes (read, write, execute, etc.) to indicate the rights assigned to each user for the object being protected.

    The objects of the system (files, directories, etc.) in Linux systems include three traditional permissions: read (r), write (w), and execute (x). The root user grants these permissions to the group and other users (users who are not owners or members of the group).

    2. Role-based access control (RBAC)

    In a complicated system with many users and functions, discretionary access restrictions do not offer enough granularity to permit a well-defined and organized segmentation. Personnel specialists in human resources, for instance, shouldn't be allowed to create network accounts.

    In this situation, assigning rights based on roles rather than individual users or groups offers more freedom. For instance, RBAC permits access related to job titles. RBAC substantially eliminates discretion when granting access to objects.

    The modern solution for RBAC is the Lightweight Directory Access Protocol (LDAP). The Red Hat Directory Server provides an affordable LDAP solution. OpenLDAP and FreeIPA are open source solutions.

    3. Managed access control (MAC)

    In managed access control, a central authority controls access permissions depending on several degrees of security. This access method offers additional security for access and privilege handling.

    MAC tags every system component before being subjected to the access control policies set by the administrators. Even when a person passes other security restrictions, MAC examines the tags. The predefined MAC policies will determine whether to permit the operation.

    Modern Linux systems (including Red Hat Enterprise Linux and Fedora) support Security Enhanced Linux (SELinux) to provide MAC.

    Examples of broken access control

    Broken access control refers to various problems that result from the improper application of checks which determine user access. Implementing authorization across dynamic systems is difficult, and policies can become inconsistent when user roles, authentication libraries, and protocols change. All web applications, databases, operating systems, and other technical infrastructures dependent on permission restrictions are vulnerable to such flaws.

    There are two primary types of authorization attacks to think about from the user's perspective: horizontal and vertical bypassing.

    Horizontal bypassing of authorization control

    Horizontal bypassing means that an unprivileged user gains access to other users' accounts with equivalent privileges. Consider a scenario where an application requests account information from a downstream method and accepts unscreened data from the method. An insecure downstream method might obtain account information through a query string like the following:

    https://developers.redhat.com/author?Id=273801
    
    https://developers.redhat.com/author?Id=273802

    An attacker can readily change the ID argument in the HTTP request to access data from one or many users' accounts. Similarly, when an unscreened user input directly accesses objects, it is called an insecure direct object reference (IDOR).

    Vertical bypassing of authorization control

    Vertical bypassing of authorization control means that an attacker gets a higher level of privilege (i.e., root or superuser privilege) than the system intended to grant.

    For instance, suppose an attacker navigates to the second URL in the following example, where access to the admin dashboard should need administrative permissions:

    https://developers.redhat.com/contributor/dashboard
    
    ​​​​​​​https://developers.redhat.com/admin/dashboard

    Suppose the service does not verify that the current user's role matches the role necessary to access particular resources. In that case, a person without administrative rights can easily access any URL by simply knowing or guessing the targeted URL and visiting it.

    How to prevent broken access control

    Developers can take several fundamental precautions to guard against broken access control attacks. A strong process begins with a review of the application's access control needs and the creation of a security policy that aligns with the results. A review should include an access control matrix, a detailed statement of what kinds of users are permitted access, and a list of the permitted and prohibited uses of that access.

    Utilize role-based access control (RBAC) to impose proper limits on each role. Be sure that the access control mechanism is appropriately applied, on the server side, on all pages and API endpoints for web applications. Simply asking for direct access to a website or resource should not allow users to gain access to any unauthorized functionality or data.

    Here is a checklist to prevent broken access control:

    • Never use obfuscation as the sole method of access control.
    • Specify the degree of access permitted for each resource at the code level, denying all access by default.
    • Deny access by default if a resource isn't meant to be shared with the general public.
    • Audit and thoroughly test access control to ensure it functions as intended.

    A secure coding example

    Let's look at how to ensure proper access control in a sample program. The example in this article is written in the Go programming language, which lacks native solutions for this issue. Some other frameworks provide specialized methods for implementing strong access control.

    The following Go framework takes some action for users who have been authenticated. The code submits the user ID to a service named​​​​​​​ authenticationMiddleware to guarantee that only authorized users trigger ActionHandler:

    e := echo.New()
    
    e.POST("/action/:id", ActionHandler, authenticationMiddleware)

    This access check might not be sufficient. Correct authorization must be maintained wherever the program provides access to resources to prevent a bypass. For instance, suppose the ActionHandler method invoked by the program offers access to a sensitive resource:

    func ActionHandler(c echo.Context) error {
    
        id := c.Param("Id")
    
        resource := getResourceBy("Id")
    
        resource.Action()
    
        return c.String(http.StatusOK, "OK")
    
    }

    Developers of ActionHandler must make sure that access control checks are carried out before granting access:

    func ActionHandler(c echo.Context) error {
    
        id := c.Param("id")
    
        resource := getResourceBy("id")
    
        if resource.Owner() != getOwnerFromContext(c) {
    
            return c.String(http.StatusUnauthorized, "User is not Authorized for this Action.")
    
        }
    
        resource.Action()
    
        return c.String(http.StatusOK, "OK")
    
    }

    Preventing broken access control is crucial

    Be diligent in using the tools that manage and monitor the security of your assets, even if it feels like they require a lot of work. You can find information about authorization bypassing in the OWASP CheetSheet. Stop cyberattacks using secure coding techniques and ongoing security testing. Learn more about secure coding practice by reviewing the OWASP secure coding practice guide. Go programmers can read Black Hat Go for information about security penetration testing.

    Last updated: October 8, 2024

    Related Posts

    • Role-based access control behind a proxy in an OAuth access delegation

    • Secure Development Series: Authorization

    • Integrating Red Hat Single Sign-On version 7.4 with Red Hat Directory Server (LDAP)

    • What enterprise developers need to know about security and compliance

    Recent Posts

    • Container starting and termination order in a pod

    • More Essential AI tutorials for Node.js Developers

    • How to run a fraud detection AI model on RHEL CVMs

    • How we use software provenance at Red Hat

    • Alternatives to creating bootc images from scratch

    What’s up next?

    Ready to level up your Linux knowledge? Our Intermediate Linux Cheat Sheet presents a collection of Linux commands and executables for developers and system administrators who want to move beyond the basics.

    Get the cheat sheet
    Red Hat Developers logo LinkedIn YouTube Twitter Facebook

    Products

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform

    Build

    • Developer Sandbox
    • Developer Tools
    • Interactive Tutorials
    • API Catalog

    Quicklinks

    • Learning Resources
    • E-books
    • Cheat Sheets
    • Blog
    • Events
    • Newsletter

    Communicate

    • About us
    • Contact sales
    • Find a partner
    • Report a website issue
    • Site Status Dashboard
    • Report a security problem

    RED HAT DEVELOPER

    Build here. Go anywhere.

    We serve the builders. The problem solvers who create careers with code.

    Join us if you’re a developer, software engineer, web designer, front-end designer, UX designer, computer scientist, architect, tester, product manager, project manager or team lead.

    Sign me up

    Red Hat legal and privacy links

    • About Red Hat
    • Jobs
    • Events
    • Locations
    • Contact Red Hat
    • Red Hat Blog
    • Inclusion at Red Hat
    • Cool Stuff Store
    • Red Hat Summit

    Red Hat legal and privacy links

    • Privacy statement
    • Terms of use
    • All policies and guidelines
    • Digital accessibility

    Report a website issue