Missing Function Level Access Control
The essence of this vulnerability, as the name suggests, is that proper access to the requested object is not verified. An attacker, who may be the current user of the application, can use it to escalate privileges and gain access to restricted functionality. For example, restricted features at the administrator level are often the target of this attack.
Most web applications check permissions before displaying data in the UI. However, applications must perform the same access control checks on the server when requesting any functionality. After all, there are many more helper service requests that are sent asynchronously in the background using AJAX technology.
If the request parameters are not carefully verified, attackers can spoof a request to access the data without proper permissions.
Attackers primarily exploit this vulnerability by manipulating URLs. For example, consider these URLs provided by an application:
Although both require authenticated users, let’s assume that /remove should only be available to the administrative user. If an unauthenticated or authenticated non-admin user can access the /remove function, it’s a missing function-level access control flaw.
Example 1: Forced Scan URL
- Type the URL and enter the site (in the example we will use this domain): http://example.com
- Click on a link or app and note the URL: http://example.com/app/getappinfo
- Now, to see if there is such an open on the page, you just need to add a parameter to the url like this. http://example.com/app/admin_getappinfo
If the page works, you now have admin access to the app.
Example 2: Horizontal Access Attack
- User goes to site, logs in to confirm authorization to site resources: http://example.com/app/userId=21775
- User replaces their userId with another user’s: http://example.com/app/userId=31356
- If the appropriate authorization procedures are not in place, the user now tries typing the other user userIDs.
Avoiding Missing Function Level Access Control Vulnerability
The first step towards preventing access control issues is to define the access control policy for the application. The access control policy describes the security requirements for each function so that developers can enforce it consistently.
In its simplest form, Node applications can implement access control using middleware in a route configuration. The middleware function acts as a filter that allows you to modify the request object, write to the response, call the next middleware, or terminate the request without continuing the chain. We can add a number of middleware…
- By default deny access to functionality.
- Use access control lists and role-based authentication mechanisms.
- Don’t just hide functions.