Explore key attack scenarios and prevention strategies related to broken access control from the OWASP Top 10. This quiz challenges your understanding of common vulnerabilities, real-world examples, and secure practices vital for effective security testing in modern applications.
In a social media platform, if a regular user manually changes a profile URL from /profile/1002 to /profile/1003 and gains access to another user's profile without permission, which type of broken access control is being exploited?
Explanation: Horizontal privilege escalation occurs when a user is able to access resources of peers at the same privilege level, as in this scenario. Vertical privilege escalation, on the other hand, is when a user gains increased privileges beyond their assigned level. Session fixation is related to session management issues, not access rights. Cross-site scripting involves injecting malicious scripts, not unauthorized access.
Which measure most effectively prevents broken access control vulnerabilities by ensuring users cannot access data or functions for which they lack authorization?
Explanation: Server-side authorization checks ensure that every request is properly validated against the user’s permissions, making them effective against access control issues. Client-side validation like email format checks do not enforce access controls and can be bypassed. Hashing data protects confidentiality, not access rights. Disabling browser autocomplete is unrelated to access control mechanisms.
An attacker discovers that by sending specially crafted API requests, they can access administrative endpoints not shown in the user interface. Which vulnerability does this scenario best illustrate?
Explanation: IDOR occurs when access to resources is based on user-supplied input without proper authorization checks, enabling attackers to access unauthorized endpoints. While security misconfiguration can create risks, it is not specific to direct object references. SQL injection involves sending malicious database queries, not accessing endpoints. Open redirects allow URL redirection to untrusted locations but do not involve unauthorized API access.
What is the most effective way to design access control policies to minimize the risk of broken access control in web applications?
Explanation: Applying the principle of least privilege means users get the minimum permissions needed to perform their tasks, greatly reducing the attack surface. Allowing temporary admin access elevates risk and violates sound policy. Relying on front-end checks alone is insecure because they can be bypassed. Permitting anonymous access increases exposure to unauthorized access.
During a penetration test, which method is most effective for identifying broken access control vulnerabilities?
Explanation: Actively manipulating parameters allows testers to discover if unauthorized access is possible, which is critical for finding broken access control flaws. Code linters generally detect code style or syntax errors, not authorization issues. Page load speed measurements are unrelated to security. Interface changes may not provide evidence of access control problems unless thoroughly tested.