Missing Function Level Access Control

Sudip Sengupta
4 min readMay 27, 2022

--

Function level access control enables a flexible hierarchical authorization check since it implements resource access control decisions based on task requirements. Unfortunately, an application with the access control security vulnerability allows an unauthenticated user to perform unauthorized actions on restricted resources by exploiting code and configuration settings flaws.

This article discusses the missing function level access control vulnerability, its impacts on application security, and how to protect web applications.

What Does A Missing Function Level Access Control Mean?

The missing function level authorization security vulnerability occurs when there are insufficient authorization checks for sensitive request handlers. This common vulnerability allows malicious users to access restricted resources by escalating their permissions at the function level. The attacker is typically an authenticated system user who changes a privileged function parameter to send corrupt requests for unauthorized admin access.

A broken function-level authorization attack starts with gaining access to Application Programming Interfaces (APIs). A malicious user gains application access permissions either through phishing or masquerading as a user then scans the application for any functions without proper checks. These include permission to directly access resources and exposure to restricted data by the user interface. Attackers can leverage these vulnerabilities to access unauthorized pages with sensitive information and gain additional permissions within the application.

Impact of Missing Function Level Access Control

It is easy for attackers to discover and exploit this vulnerability as all it takes is an attempt to modify the resource access method and perform a restricted action. If the request is accepted, the website is vulnerable, and the attackers can begin crafting further exploits as authorized users. By providing access privileges to unauthorized data and resources, this vulnerability may grant the attackers complete control of the application. The potential impact and severity typically rely on the individual user accounts compromised and the affected functions. Some effects of a successful function level access control failures include:

As one of the topmost security risks of OWASP top 10, Broken Access Control is considered one of the major challenges organizations deal with.

Exploiting Function Level Access Control Vulnerability

Here are popular approaches and their respective steps that attackers leverage to exploit missing function level access control:

Horizontal Privilege Escalation

  1. The attacker logs into a website. The URL bar probably includes the user’s ID during the login process: http://darwin.com/app/uID=1738.
  2. After proper authentication, they try to change the user’s ID to that of another user’s account. The URL is now similar to:http://darwin.com/app/uID=3225.
  3. Without proper authorization, the hacker can now log in as other application users by editing the URL’s UID parameter.

Forced Browsing Exploit

  1. Assuming the unauthorized user is browsing a site with the URL: http://darwin.com
  2. When clicking on a link, he notices the URL: http://darwin.com/app/info-page.
  3. The unauthorized user may try to access a page with elevated privileges by guessing and adding a parameter to the URL to lead to an admin user page: http://darwin.com/app/admin-info-page.
  4. If this page exists and the access control system is faulty, he can now perform functions of a privileged user within the application.

Protecting Applications from the Function Level Access Control Vulnerability

Some prevention mechanisms for this type of vulnerability include:

Enforce the Law of Least Privilege

Always deny by default, then incrementally define the access properties for each role as needed. This access control method makes the management of feature restrictions easier by defining function-level access rights for each user.

Log Access Control Events

Access control mechanisms should enforce the ownership of records, helping define the users that can access, modify or delete records. Access control lists (ACLs) should be used to maintain and update these access control records. Developers should also enforce the recording of authorization failures and create alerts for repeated failures.

Use Role-Based Access Control for Business-Level Functions

Developers should use centralized routines to enforce role-based authentication mechanisms for code functions at the business level. For example, the application business limit requirements are first defined, then each user is assigned a role based on these limits. This allows for the fine-grained control of access to every single function on servers running the web application.

How Crashtest Security Can Help you with Missing Function Level Access Control

The Crashtest Security Suite’s penetration testing platform helps developers and testers discover and mitigate comprehensive authorization issues. The platform automatically performs URL parameter manipulation and forced browsing attacks to establish whether the vulnerability can be used as part of a chain attack.

Crashtest Security outputs test and scan reports in multiple formats and allows security issues to be easily shared between cross-functional teams.

To know more about how Crashtest Security can help you start scanning your web applications in minutes, register for a free one here.

FAQ

What is the difference between missing function level access control and insecure direct object reference?

The insecure direct object reference is a fault in which back-end resources are mapped directly to front-end identifiers. Direct object reference vulnerabilities allow the hacker to gain access authority to restricted resources by guessing their ID value.

On the other hand, missing function level authorization is an authorization flaw where the application fails to check for user permissions properly. Function-level access control issues lead to the abuse of the application’s privileged access prevention mechanism.

This article has already been published on https://crashtest-security.com/missing-function-level-access-control/ and has been authorized by Crashtest Security for a republish.

--

--