Yesterday we looked at authentication and authorization, if you missed it you can check it out here today we're finishing up on the series of authentication-related posts that started last week. Today we'll be looking at one of the symptoms of authentication and authorization gone wrong. Yes, as promised, we'll be looking at broken access control. Imagine if you're hosting an event at your home, prior to the event, you locked the rooms you don't want anyone having entry to. An hour into the event, you want to get something from your bedroom and you meet a guest sleeping on your bed ๐.
A RELATABLE EXPLANATION
A lot of times, the above scenario will make us doubt our memories, questioning whether we locked the door or not in order to be sure if the room was opened forcefully or we probably turned the key twice before closing the door which meant the door wasn't locked. Broken access feels like the scenario above, only in this case it's happening on digital infrastructure. On every software solution, there are areas that are off-limits, no software engineer builds a software solution that doesn't limit the access of users.
It's kind of like how we password our phones or lock our doors on the way put, if we forget our password or lose our keys, we're going to be locked despite being the owner of the phone/property. Features like these help to ensure that we are the only ones with access (because it's assumed we won't forget our password or lose our keys). Broken access would be a situation where these cybersecurity measures aren't strictly enforced.
SYMPTOMS OF THE PROBLEM
If a user can log in or use some very specific URL address to bypass authentication and authorization then there's broken access control. a lot of times because our browsers save our browsing history we skip out on a lot of things that we should do. An example of this would be a situation where you specified that you'd like to be asked for a token every time you log in. However, if you navigate to a specific resource using your browser history, you're not asked for a token.
In small cases, it can be ignored or termed inconsequential. In much more serious cases, it could undermine the security of the entire system. URLs are very straightforward navigation parameters that should take you anywhere you want to go on a platform. If someone who knows the URL pattern of a website inputs a very specific URL parameter into the browser in a bid to gain admin access to a website (and succeeds), then you know that there is broken access control on the platform and it's dangerous.
FINALLY
To combat this, developers use a number of methods to make it harder to guess the URL structure of the platform is by making the API harder to guess or making user IDs harder to guess by using GUIDs rather than incremental ID numbers.