Spring Broken Access
Control Guide: Examples
and Prevention

stackhawk

StackHawk|December 6, 2021

This article covers Spring broken access control and its role in the security and reliability of the modern web.

In this article, we'll explore access control and its role in the security and reliability of the modern web. 

First, we'll briefly explain what access control is and why it's essential. Next, we'll explore broken access control, what it looks like, and the vulnerabilities it targets. Last, we'll offer some mitigating strategies for these vulnerabilities that you can apply to your systems.

The development stack used to illustrate the concepts in this article is Spring Boot and Java. If you have no experience with these technologies, you can find other articles tackling this topic in the context of different technologies on our blog. 

However, if you want to learn more about Spring Boot, feel free to use this great resource.

Spring Boot Starter

Before jumping into the subject, let's briefly build a simple Spring Boot web project for Java to use as the backdrop for this article. To build it, all you need is a JDK installed, Gradle, and your favorite IDE to code.

Let's start by going to https://start.spring.io and downloading our boilerplate project. Make sure to select "Spring Web" and "Spring Security" as dependencies, Java as your language, and Gradle as your project type.

Once downloaded, proceed to the src/main/java/com/example/demo folder and create a class file called HelloController.java.

Then input the following code:

package com.example.springboot; 

import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody; 

@Controller 
public class HelloController { 

  @RequestMapping("/")  
  @ResponseBody
  public String index() { 
    return "Greetings from Spring Boot!"; 
  } 
}

And that's it. 

You can run the code and go to localhost:8080 to see your page.

What Is Access Control?

In a nutshell, access control represents a set of policies and mechanisms that manage and control access to resources. Access control is also commonly known as authorization.

Once the server has determined your identity through a login or authentication mechanism, it grants or limits what functions and resources you have access to. Additionally, access control is usually employed as the platform for user tracking.

Despite the simplicity of its concepts, appropriately implementing a robust and secure access control system is difficult. Access control is closely bound to the system architecture. Moreover, users regularly fall into more than one role, which makes access management more complex. Therefore, developing access control from scratch is generally discouraged, and battle-tested, robust solutions like OAuth 2.0 and JWT are adopted.

What About Broken Access Control?

Broken access control comprises a set of known exploits that can represent a threat to your systems' access control. 

Despite many of the vulnerabilities in access control being easily exploited when neglected, they can be addressed relatively quickly. This point is important because the consequences of a breach in access control can be pretty destructive since attackers can take over your system.

To learn more about the complexities of access control, please follow this [LINK] to our in-depth article on broken access control.

Broken Access Control Vulnerabilities

There are plenty of vulnerabilities that attackers can exploit, depending on your technology stack and architecture. However, we will focus only on insecure IDs, path traversal, file permission, and client caching for brevity.

Insecure ID Vulnerability

Most modern websites use some form of ID or index to quickly and efficiently refer to data. For most circumstances, this is satisfactory. However, if these IDs are easy to figure out, either by hand or brute force, then you have a security problem.

To illustrate, imagine that you have a profile page section where the server displays the user profile. Then the following URL retrieves a user profile.

https://www.mywebsite.com/profile?id=123

Now, if I were to change the number in the query string manually and no active access control is in place to validate my request, I can access any profiles.

Path Traversal Vulnerability

Path traversal defines the capacity of a user to navigate a file system's directory tree freely. 

A system without proper access control might be a victim of path traversal exploits and allow attackers to access restricted resources in the server. This situation can happen when the path of a resource the system is allowing to retrieve is accessible to be modified and is not adequately validated.

To illustrate, take a look at the following URL:

https://www.mywebsite.com/photos?file=user.png

If we were to change "user.png" to something like "../../etc/passwd", we could gain access to the application secrets.

File Permission Vulnerability

File permission vulnerabilities are in the server's permission mechanism in its file system. 

All web applications contain critical configuration files and resources that should not be accessible. However, if there is a lack of proper configuration policies, an attacker can target these files, taking over the entire platform.

To illustrate this, here is an example of an attack attempting to access a file that should be inaccessible:

https://www.mywebsite.com/photos?file=../../gradle.json

Client Caching Vulnerability

Client caching vulnerabilities are tough to address because they involve attackers physically taking over the user's computer. Instead of remote attacks, they take advantage of the session credentials, cached pages, or data in the browser already present in an authenticated client.

Once this happens, the attacker can quickly gain access to the user data.

Addressing Broken Access Control

The first step to take to mitigate broken access control attacks is to implement a robust authentication mechanism. In this article, we will be implementing a simple form-based login mechanism to illustrate. Please explore the resources available in the Java and Spring Boot community for a more in-depth implementation.

First, create a file called SecurityConfiguration.java in the project src/main/java/com/example/demo directory.

Then add the following code:

package com.example.springboot; 

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
    
    @Override
    public void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
            .anyRequest()
            .authenticated()
            .and()
            .formLogin()
            .and()
            .httpBasic();
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
            .withUser("user")
            .password("{noop}pass")
            .roles("USER");
    }
}

As you can see, this is essentially a contrived way to create the user in memory for the authentication manager. Of course, this action is not advisable in production, but it allows us to illustrate the concepts swiftly.

Congratulations, you have just implemented an authentication mechanism.

Refresh the page and check it out.

Tackling Broken Access Control Vulnerabilities

In order to tackle the specific vulnerabilities stated above, we need to make a few adjustments to the platform.

Insecure IDs: This solution is easily achievable by implementing GUIDs as IDs. You must develop your system with this vulnerability in mind early on. All IDs (or at least those belonging to sensitive resources) must be both obfuscated and unique.

Path Traversal: Path traversal mitigation requires validating all user inputs and restricting access to critical resources. Luckily, you don't need to do much to implement proper path traversal policies thanks to the robustness of libraries like Spring Security.

File Permission: Unless you need to tinker with the server permissions and add features related to file manipulation, you don't need to do much to stay secure. Nonetheless, consult with your server manager if you need further instructions.

Client Caching: In this case, the most effective solution is also the most simple. Don't store sensitive user information on the client browser. However, if you must venture into sophisticated features due to requirements, implement proper HTML meta tags and async validations to confirm authority on page load.

Find and Fix Security Vulnerabilities

Conclusion

According to SDTimes, broken access control is now the highest vulnerability in the OWASP Top 10 2021. This situation should be a cause of concern for developers.

However, as you have seen, delivering robust access control, despite its complexity, is relatively straightforward. 

Exploits and attacks are now more prevalent and ubiquitous than ever, and ensuring your system's security is an increasingly more complex task. Nevertheless, we must rise to the task and continue developing solutions to these issues.

This post was written by Juan Reyes. Juan is an engineer by profession and a dreamer by heart who crossed the seas to reach Japan following the promise of opportunity and challenge. While trying to find himself and build a meaningful life in the east, Juan borrows wisdom from his experiences as an entrepreneur, artist, hustler, father figure, husband, and friend to start writing about passion, meaning, self-development, leadership, relationships, and mental health. His many years of struggle and self-discovery have inspired him and drive to embark on a journey for wisdom.


StackHawk  |  December 6, 2021