Web Application Security: Enhancing Access Control with OWASP’s Top Security Best Practices

The Open Web Application Security Project (OWASP) offers 24 security best practices to improve the security posture of an application through implementing strong access controls to encourage secure coding best practices. OWASP further includes vulnerability-specific prevention sheets to aid software developers in developing a security-first mindset in their coding practices. Three common vulnerabilities discussed in the OWASP security best practices that I consider important in preventing broken access control include Insecure Direct Object Reference, Missing Function Level Access Control, and Cross-Site Request Forgery. 

Insecure Direct Object Reference. An Insecure Direct Object Reference allows a malicious attacker to modify a user profile URL or POST body to gain access to another user’s information by modifying the user ID. Implementing data layer access controls helps protect web applications by only allowing authorized users to access data objects. By verifying that the user attempting to access the user profile data is the user of the profile, the web application limits the ability of a malicious hacker to navigate to another user’s profile by modifying the user ID in the URL or POST body. In 2021, a teenager found an IDOR vulnerability in Facebook Android that revealed Facebook administrator account IDs (Facebook, n.d.).

Cross-Site Request Forgery. In a Cross-Site Request Forgery (CSRF) attack, a malicious attacker exploits a user’s token to send a request without the user’s permission. CSRF protection helps software developers segregate state-changing operations through the use of anti-CSRF tokens that require authorization prior to a state change. OWASP recommends segregating sensitive operations to mitigate security vulnerabilities. One way to achieve this is by using the Express CSRF modules. As a best practice, software developers must modify state using the correct HTTP methods. In 2009, uTorrent discovered a CSRF vulnerability that allowed malicious attackers to modify state with a GET request (uTorrent, n.d.). Attackers modified a URL to force a torrent file download whenever a user opened an email or visited a forum page.

Missing Function Level Access Control. Missing Function Level Access Controls allow users to access functions that should be restricted. In node.js, middleware allows a software developer to perform a task before a request is processed by the route handler. Middleware is often used to implement logging, file handling, or session management where data is being passed or requests are being made. Node.js engineers use middleware to define access control by intercepting and modifying the request object to determine if the request should continue or be terminated based on authorization and authentication defined in the access control database. Missing Function Level Access Control server-side vulnerabilities can occur in node.js applications when a backend or full-stack developer improperly configures the middleware and unintended users gain access to functions. To prevent Missing Function Level Access Control server-side vulnerabilities, software developers can create functions that perform authentication and authorization checks on critical routes and endpoints. 

Centralized Access Control in Application Design

Code reviews and comprehensive testing assist software developers in preventing mistakes that may leave an endpoint or route vulnerable to exploitation through exploiting functions that should be protected with authentication and authorization checks. Additionally, web applications can implement Role-Based Access Control that limits a user’s ability to access functions that could be exploited to gain unauthorized access to user information. Common frameworks to address access control are loopback (JSON feel) and sail (MVC/Ruby feel). I personally like having granular control over my functions; however, loopback and sail frameworks have also been helpful for exploring access control on different projects. OWASP recommends creating a single site-wide component as a security best practice to implement consistent and centralized authorization and authentication checks on critical routes and endpoints. In complex production code, scattering authentication logic in different files across the application can lead to Missing Function Level Access Control server-side vulnerabilities that create harmful entry points for attackers. These best practices guide developers to level their code capabilities to include a security-first mindset that protects users and scales across production environments. A good example of Missing Function Level Access Control vulnerability is the GD Press Tools Wordpress plugin (Wordpress, n.d.) that allowed users to edit information and delete other user’s posts. 

References

uTorrent CSRF Attack Example
https://brightsec.com/blog/csrf-example/#regular-security-tests

Facebook IDOR Example
https://medium.com/pentesternepal/how-i-was-able-to-reveal-page-admin-of-almost-any-page-on-facebook-5a8d68253e0c

Wordpress GD Press Tools Plugin Missing Function Level Access Control Example
https://local-cluster.com/vulnerabilities/gd-press-tools-missing-function-level-access-control/

Threat Modeling for CSRF
https://researchgate.net/publication/224602293_Threat_Modeling_for_CSRF_Attacks

OWASP Top 10 Web Application Security Risks
https://owasp.org/www-project-top-ten/

OWASP Security Best Practices
https://owasp.org/www-project-secure-coding-practices-quick-reference-guide/stable-en/02-checklist/05-checklist#access-control

Insecure Direct Object Reference
https://cheatsheetseries.owasp.org/cheatsheets/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet.html#:~:text=Insecure%20Direct%20Object%20Reference%20(IDOR,allowed%20to%20access%20specific%20data.

Missing Function Level Access Control
Karande, C. (2017) Securing Node Applications. O’Reilly Media Inc. https://learning-oreilly-com.proxy.library.maryville.edu/library/view/securing-node-applications/9781491982426/ch07.html#:-:text=describes%20security%20requirements,can%20implement%20it

Cross-Site Request Forgery
https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html

Escape Hatches
https://react.dev/learn/escape-hatches

React
https://legacy.reactjs.org/docs/introducing-jsx.html#:~:text=By%20default%2C%20React%20DOM%20escapes,%2Dsite%2Dscripting)%20attacks.

Comments

Post a Comment

Popular posts from this blog

SalonAboutBeauty: Less Integration for Consistent Styling Across Components

Ensuring Consistent Variables Less provides several advantages for organizing CSS to ensure consistency across a website. The variables.less file defines reusable properties that allow a developer to easily communicate and maintain styles according to a style guide or theme.  The Less Web Development Cookbook describes properties in the variables.less file in relation to other programming languages: “Variables in Less are defined as the equivalent to statics in other programming languages. You assign a value to a variable once and use it everywhere in your code” (Meyghani & Jobsen, 2015, p. 50). It suggests that less allows a developer to set properties, such as colors and length, to variable names that retain their meaning and can be used everywhere in the code. Examples: @base-color: red, @primary: green.  By providing these definitions in a central location, developers create code consistency in all areas of the website. Creating an Organized File St...
Read more

Why “Human Error” Is Usually a System Design Problem

In complex systems, failure rarely comes from a single bad decision. It comes from problems that evolve slowly, cross boundaries, and remain unresolved while everyone involved behaves reasonably. Managing risk in these environments means managing trajectories, not just incidents. When ownership is divided strictly by role, function, or severity threshold, gaps are inevitable. Those gaps are where issues linger, age, and quietly accumulate risk, not because they were ignored, but because no one was responsible for carrying them forward end to end. This is common in healthcare, where delay is often necessary. A patient may require observation, referrals, or time to clarify diagnosis. The failure is not that care takes time; it is that the trajectory of care becomes fragmented. Each clinician escalates correctly within scope, yet no one owns the evolving picture across visits, domains, and decisions. The patient is evaluated repeatedly, reassured locally, and sent away without continuity ...
Read more

Challenges in Prosecuting Deep Web and Darknet Crimes: The Case of Ross Ulbricht and the Silk Road

  The deep web represents online information that is not easily accessible through search engines. Prosecuting crimes on the deep web is no more challenging than prosecuting crimes for any standard website because law enforcement can still track the user's location through a domain or IP address. Alternately, the darknet poses a challenge for law enforcement to address illicit activity because while the darknet is a web-based system, it is accessible only through the Tor protocol that encapsulates HTTP and HTTPS traffic, much like a VPN that hides a user’s location and identity. The Tor protocol, often called the Onion Router, contains methods for encrypting and routing traffic between peers. The purpose of the Tor protocol is to make web browsing anonymous by routing each request through multiple peers and altering encryption at various steps until the request reaches its destination. Subsequent requests may hop through different peers, making traffic appear random, unpredictable,...
Read more