Posted on

Broken Access Control tops the OWASP Top 10

The Open Web Applications Security Project releases their top 10 vulnerabilities every 3 or 4 years. It contains the most common types of problems developments have inadvertently delivered in their web applications.

The next reiteration which is currently in draft contains Broken Access Control (BAC) as the number 1 issue web applications are susceptible to.

After analysing over 500,000 application data logs provided by OWASP supporters and friends of the project, the top 10 was decided using this data for 8 of the top 10 and 2 were from a survey proved to the industry.

What is Broken Access Control?

Broken Access Control is the method of modifying something that the app accepts by either impersonating someone or something someone else had.

For example, a user of the application may be the holder of a cookie or JWT (JSON Web Token) and the malicious actor gets hold of it, changes it to make a request and the application unwittingly fulfils it.

Another way is when the application has used bad practice and hidden fields instead of securely disabling them for a particular action and the malicious actor in this instance has the ability to take advantage of the applications features by modifying either the HTML, CSS or JavaScript using something as trivial as the console in the browser.