Golang Broken Access
Control Guide: Examples
and Prevention

stackhawk

StackHawk|March 15, 2022

This article will explore what Access Control is, then look at the specifics of Broken Access Control in Golang, some examples, and how to prevent it.

Golang Broken Access Control Guide: Examples and Prevention image

Data protection is an important subject, especially in the information technology industry. This is because data protection and regulation are sometimes difficult. For instance, it is almost seamless for people to get hold of any type of information on the internet.

However, certain types of information shouldn't be accessible to everyone, such as medical records. To make sure that these data aren't accessible to just anyone, regulations like the GDPR (General Data Protection Regulation) regulate the sharing of users' personal data. Since information is easily accessible on the internet, the information technology industry must look for ways to protect users' data. 

In the IT industry, software developers protect personal data by enabling access control. In this article, we will explore what access control is, then discuss the specifics of broken access control in Golang, examples of what it looks like, and how to prevent it. 

What Is Access Control?

Another name for access control is authorization. Authorization in the information technology field involves the process of verifying the files, information, and data that a person has access to. Authorization defines permission to access data. In IT companies, access control is mostly done after authentication. 

In authentication, the system verifies that a person is truly who they claim to be. For instance, if a person claims to be a user of an application, the system asks for their username and password. After authentication, users can access data from an application according to the permissions they have. To understand how authorization works and how it sets permissions, let's look at the different access controls and how they operate. 

Methods of Access Control

There are three different types of access control: discretionary access control (DAC), managed access control (MAC), and role-based access control (RBAC). 

Discretionary Access Control (DAC)

Discretionary access control bestows the organization's head the ability to determine who accesses information, files, or data. 

This type of access control gives absolute power to an individual to control all objects and properties associated with them. This type of access control is less restrictive. For instance, a user can share data in their care with a malicious user. 

Managed Access Control (MAC)

Managed access control is a highly restrictive access control method mostly used in organizations that need to be highly secretive or discreet, like the military service. 

First, an administrator or root gives a user permission to access information. Next, the user will go through a series of security clearances before they can finally access information. 

Role-Based Access Control (RBAC)

Role-based access control is the most commonly used access control. In this type, employees are added to a list according to their roles. This list is matched to the database, and employees are allowed access to the data that fit their role. 

An advantage of RBAC control is its flexibility. Also, the firm can quickly continue operations with a new employee if an employee leaves since they don't need to change passcodes. 

Broken Access Control in Golang

Golang is an amazing programming language that makes building products faster. For instance, building microservices with Golang saves a lot of time and is efficient. However, it is important that software developers secure users' data. This includes incorporating authorization into products. For instance, developers can integrate RBAC into Go applications with the use of a token-based authorization strategy like JSON Web Token (JWT)

In this section, let's explore the different ways access control can be broken in Golang.

Client-Side Caching

While client-side caching is a very brilliant idea, it also has its downsides that can act as vulnerabilities. For instance, with Redis 6 server-assisted client-side caching, Golang can implement caching in their application. This way, we can cache users' information when they successfully log in without the need to send requests to the server on each login attempt. This imposes a vulnerability in that an attacker can pose as the owner when they get hold of a user's information. 

Another vulnerability can result from users accessing websites from public places, like airports or cybercafes, where malicious actors can access their information. 

Golang Broken Access Control Guide: Examples and Prevention image

Insecure Direct Object Reference (IDOR)

This type of vulnerability occurs when the application allows users to access an object using a direct identifier of the object as their input. This allows the attacker to skip authorization. 

For instance, let's say a user can access their medical records with the route "https://ourpatients.com/userID=1234". If they can access the records of another patient by tweaking the user ID, then there's a vulnerability. 

Broken Object Level Authorization (BOLA)

Just like insecure IDOR, broken object level authorization is a type of vulnerability that occurs when APIs expose endpoints with object identifiers. For instance, when using Gorilla Mux, you'll get something like this: 

func main() {

    // Init the mux router
    router: = mux.NewRouter()

    // Route handles & endpoints
    // Get all books
        router.HandleFunc("/books/", GetBooks).Methods("GET")

    // Create a book
        router.HandleFunc("/books/", CreateBook).Methods("POST")

    // Delete a specific book by the bookID
        router.HandleFunc("/books/{bookid}", DeleteBook).Methods("DELETE")

    // Delete all books
        router.HandleFunc("/books/", DeleteBooks).Methods("DELETE")

    // serve the app
        fmt.Println("Server at 8080")
    log.Fatal(http.ListenAndServe(":8000", router))
}

Notice how the user can delete a book according to their ID. If this ID is exposed and users can delete a book by tweaking the ID in the URL, then there's a vulnerability. 

CORS Misconfiguration

Cross-origin resource sharing (CORS) allows an external domain to access restricted data. Cross-origin resource sharing is essential sometimes. For instance, a front-end application hosted in another domain can access a back-end application in another domain. 

However, a miscommunication of CORS can cause broken authorization. For instance, if a developer runs the code below, they'll accept requests from all external domains.

func enableCors(w * http.ResponseWriter) {
( * w).Header().Set("Access-Control-Allow-Origin", "*")
}

This can pose a threat, especially if an attacker sends a malicious request to the application.

Prevention of Broken Access Control in Golang

In the section above, we explored the different examples of broken access control in Golang. In this section, we'll discuss how to prevent them. 

CORS Configuration

To prevent malicious attackers from getting access to your application due to CORS misconfiguration, developers need to configure CORS with security in mind. For instance, instead of giving access to every external domain, developers can give access to their application alone. 

For example, if an application's front-end domain is "https://myfrontend.com", only this domain should be given access. To do this, we'll replace "*" with "https://myfrontend.com".

func enableCors(w * http.ResponseWriter) {
( * w).Header().Set("Access-Control-Allow-Origin", "https://my frontend.com")
}

Cache Control

While caching is very helpful, developers can implement max-age and must-revalidate as part of cache control in order to prevent vulnerabilities. This way, attackers can't get access to a user's information by using their computer. Developers can do this by including this in their request's header. 

Cache-Control "max-age=3600, must-revalidate"

Prevent Broken Object Level Authorization and Insecure Direct Object Reference

Lots of firms have applications that have BOLA vulnerabilities. To prevent these vulnerabilities, take the following steps: 

  • Use random globally unique identifiers in the URL instead of user IDs.

  • In the case where a firm still makes use of user IDs in routes, ensure that the users have access to a page they're trying to access.

  • Don't give access to users that try to tweak IDs in the URL. Instead, extract IDs from authorization tokens.

Find and Fix Application Security Vulnerabilities with Automated Testing

Conclusion

Broken authorization is a security breach. This is because it makes users' personal data vulnerable to malicious actors. Although it seems like a lot of work to do in order to protect users' data, there are applications that help manage and monitor your products' security. 

For instance, StackHawk provides a tool for application security. Here developers can monitor their applications, fish out vulnerabilities, and get information on how to fix them. 

This post was written by Ukpai Ugochi. Ukpai is a full stack JavaScript developer (MEVN), and she contributes to FOSS in her free time. She loves to share knowledge about her transition from marine engineering to software development to encourage people who love software development and don't know where to begin. 


StackHawk  |  March 15, 2022