Vue Broken Access
Control Guide: Examples
and Prevention

stackhawk

StackHawk|April 12, 2022

For this article, we'll be exploring the topic of vue broken access control for Vue.js developers.

As our leverage grows as productive market members, so do the threats and liabilities we need to mitigate. Therefore, the expertise we need to acquire in order to minimize these threats keeps expanding.

So, to help you keep things manageable, we've created a series of articles tackling the most common security threats and how to address them effectively.

Our articles cover an extensive spectrum of subjects and technologies; no matter your technology of choice, we have an article for you.

For this article, we'll be exploring the topic of broken access control for Vue.js developers.

If you have no experience with any of these technologies, we recommend you take a quick look at this link.

However, we won't be going too deep into specifics, so don't worry too much. A basic understanding of Javascript is required, but it won't take too long to get the hang of it. Plus, you will learn some really cool stuff.

Alright. Moving on.

Explaining Access Control

Access control, also referred to as authorization, pertains to a set of policies and mechanisms that govern access to digital resources.

The normal authorization flow takes place once the server has determined your credentials through an authentication mechanism. It then follows by granting or restricting what resources a user has access to by controlling privileges and routes to resources and endpoints.

Despite their similarities in the process of protecting and gatekeeping resources, it's important not to confuse the role of authentication with that of authorization. Strictly speaking, authentication is the act of determining a user's identity. On the other hand, authorization is the act of determining whether a user has access to a resource.

Additionally, authorization infrastructure is commonly the backbone for user tracking and resource monitoring.

Implementing a trustworthy and reliable access control system is a very intricate and misleadingly challenging task since it is so intimately tied to the architecture of your system.

Depending on the scale and sophistication of your system, an acceptable solution could mean implementing a complex authentication mechanism, a third-party library, or a combination of both.

Broken Access Control

As you might have imagined already, "broken access control" refers to the act of breaching your system's access control (hence the "broken" part of the term).

It goes without saying that a breach of your access control mechanism is a significant concern for your security. This event could be disastrous to your business and the users who use your service. Knowing that a single successful breach could provide a bad actor with control over your platform, it is essential to address any vulnerability found.

Common Broken Access Control Vulnerabilities

Broken access control vulnerabilities can present themselves in many different ways.

Insecure ID Vulnerability

Modern websites use some form of ID to quickly and efficiently retrieve data. However, if these IDs are easy to figure out, there is a potential vulnerability.

To illustrate, imagine you have a profile page section where the user profile is displayed. Then the following URL retrieves our user profile.

https://www.supersecure.com/profile?id=123

By changing the number in this query string, I can access any profile. That's the kind of threat you face when no active access control is in place.

Path Traversal Vulnerability

Path Traversal refers to the ability to navigate a filesystem's directory. Without proper access control, your system might be victim to Path Traversal exploits, allowing bad actors to access restricted resources on the server.

To illustrate, please refer to the following URL.

https://www.supersecure.com/photos?file=user.png

When the path of a resource in the system can be modified by the user and is not adequately validated, this is a potentially vulnerable point. For example, if you were to change 'user.png' to something like '../../src/secrets', we could access the application secrets.

File Permission Vulnerability

Typically, web applications include vital configuration files and resources that should not be accessible by users. However, an attacker can target these files if there is a poor implementation of configuration policies.

In this case, File Permission vulnerabilities are vulnerabilities in the server's permission mechanism.

To illustrate this, here is an example.

https://www.supersecure.com/photos?file=../../secure.json

In this case, the attacker is requesting our application to retrieve a file that it's not supposed to retrieve.

Implementing Proper Authentication

The first thing you need to do is make sure that you have implemented proper authentication in your application.

We will be using the Auth0 service to provide a robust authentication solution.

Here's a quick refresher on how to implement Auth0 on your application from ourprevious article on the subject.

First, go to the Auth0 website and register a new application. If you don't have an Auth0 account, you can sign up here.

Once in the Auth0 dashboard, go to the Applications section and click on the Create application button. Input a name for your application and make sure to choose Regular web applications as the application type.

Lastly, click the Create button.

After creating the application, go to the Settings tab and get your Auth0 domain and client id. Then, set Allowed callback URLs to https://localhost:8080/callback and Allowed logout URLs to https://localhost:8080/.

The first URL tells Auth0 where to redirect the user after authentication, and the second URL tells Auth0 where to redirect the user after logout.

Finally, save your changes.

Now, go to your project's root folder and create a file called "appsettings.json" there. Then, add the following code and update YOUR_DOMAIN and YOUR_CLIENT_ID with the corresponding values from the Auth0 dashboard.

{
    "domain": "YOUR_AUTH0_DOMAIN",
    "clientId": "YOUR_AUTH0_CLIENT_ID",
    "audience": "",
    "serverUrl": ""
}


That's it.

Addressing Broken Access Control Vulnerabilities

Addressing broken access control vulnerabilities requires making a few simple adjustments to our platform.

Insecure IDs

To address insecure IDs, we need to ensure we have implemented GUIDs as our IDs so they are not easily guessable.

In addition, IDs belonging to sensitive resources must be unique and obfuscated.

Of course, this requires a significant change if you have not done so beforehand, but it's critical to make this change as it is the most fundamental security measure we can take.

Path Traversal

In order to mitigate path traversal attacks, we must validate all user inputs and restrict access to resources as much as possible.

A simple way to do this would be with the following check:

var rootDirectory = '/var/www/';
var path = require('path');
var filename = path.join(rootDirectory, userInput);
if (filename.indexOf(rootDirectory) !== 0) {
  return respond('ACCESS DENIED');
}

This filename variable contains the name of a validated file or directory.

Ready to Test Your App

File Permission

Vue.js and Node.js do everything that needs to be done in this regard, so you don't need to do much to stay secure. Nevertheless, you should consult your security manager if you need to tinker with these settings.

Vue Broken Access Control Guide: Examples and Prevention image

Conclusion

It is hard to argue with the notion that in terms of productivity and capacity to create wealth, no career compares to software development. Creating products and services that reach mass adoption and bring immense change has never been this easy, and with that power comes great responsibility.

Creating elegant and robust solutions is now a cakewalk with Node.js and Vue.js. Nevertheless, it is essential to understand that, despite these technologies' enormous leverage and versatility, it is still crucial to keep an eye on our security.

We recommend considering our dynamic application security testing (DAST) solution for your team.

Our DAST runs security tests against your running application in real-time, finding vulnerabilities your team might have introduced and exploitable open source vulnerabilities in your libraries.

You can check it out here.

This post was written by Juan Reyes. Juan is an engineer by profession and a dreamer by heart who crossed the seas to reach Japan following the promise of opportunity and challenge. While trying to find himself and build a meaningful life in the east, Juan borrows wisdom from his experiences as an entrepreneur, artist, hustler, father figure, husband, and friend to start writing about passion, meaning, self-development, leadership, relationships, and mental health. His many years of struggle and self-discovery have inspired him and drive to embark on a journey for wisdom.


StackHawk  |  April 12, 2022