How can developer help security team?
Developer can help security team with implement logging system and logged important and sensetive information in this article we talk about these thongs that can help security team to find attacker and ban and find security bugs for our system.
First of all we must know a famous attack Broken access control and how it occured in our application.
Access control is an important security measure for organizations of all sizes. Without it, intruders can gain access to sensitive data and cause real damage.
Unfortunately, broken access control can occur, and it is a common vulnerability that can leave your organization exposed to attacks. In this article, we’ll discuss what broken access control is and how you can protect your organization from it.
What Is Broken Access Control?
Broken access control is a type of vulnerability that allows unauthorized users to gain access to sensitive data or systems. This can happen when controls such as authentication and authorization are not properly implemented, or when there are weaknesses in the way these controls are enforced.
Broken access control can lead to several serious security issues, including data breaches, theft of sensitive information, and loss of system availability. In some cases, it can also enable an attacker to gain elevated privileges that allow them to perform malicious actions on the systems or data they have accessed.
Organizations need to be aware of the risks posed by broken access control and take steps to prevent it. This includes ensuring that all controls are properly implemented and enforcing least privilege principles to limit the permissions of users and groups. Additionally, regular monitoring of systems and data should be conducted to detect any unauthorized activity.
What are the different types of access control?
From a user’s perspective, access controls can be divided into the following categories: vertical, horizontal or contextual access controls.
Firstly, vertical access controls:
These are mechanisms that limit access to sensitive functionality via well-defined roles on the system (e.g. administrators and different user groups). And in this case, a standard user should not be able to access an administrator’s data and perform actions outside the scope of his or her duties.
Then, horizontal access controls:
Here it is a question of limiting access to certain resources to users who are specifically authorised to access them. Thus, within the same group of users (let’s imagine an accounting department), user A will have access to a subset of resources X, inaccessible to user B, but who will have access to another subset of resources Y, inaccessible to A.
Finally, contextual access controls:
These allow access to features and resources to be restricted based on the state of the application or the user’s interaction with it.
What are the most common broken access control vulnerabilities?
Before getting to the heart of the matter, it should be noted that privilege escalation or account theft are very often the main objectives of an attacker targeting a web application. To do this, several exploits are possible.
Exploitation of IDOR vulnerabilities and account theft
An IDOR (Insecure Direct Object Reference) vulnerability occurs when a direct reference to an object can be controlled by a user.
Let’s take a concrete case to present an example of exploitation of this type of vulnerability, linked to the lack of rights control on a system.
Indeed, during a web penetration test, we identified an IDOR that we exploited by taking advantage of another “Mass Assignment” type vulnerability. This allowed us to modify the email of a super administrator and take control of his account.
https://www.vaadata.com/blog/owasp-top-10-1-broken-access-control-and-security-tips/
How can help security team to find attacker that try to find broker access vunrability?
In backend code most of application use bearer token or cookie base authentication in both of these ways of authentication we have user infomation.we must check for example userid with list of user order id our token useid was diffrent from list that client request log it into database as a broken access control attack and save user ip and system information in logging system.
This can help to security team to analyse behaviour of user and find the attacker easier than before.
In security vulnability we mustn’t show the vulniblity to the client for example we write a regix for check XSS attack if the text had suspicious information and we must logged it as a developer and don’t show it to user.
For more detail for example we have a endpoint \User\GetOrder?userid=2 this end point return all of user orders if attacker change this number to 3 our web api mustn’t get information and only return empty list to user and do not show message this user id not equal with your token, this types of error can help attackers to find vunrability easier.
