5.Broken Access Control (OWASP TOP 10)

 Broken Access Control

* Access Control enforces policy such  that users cannot act outside of their intended permissions .failures typically lead to Unauthorized information disclosure , modification or destruction of all data , or performing a business function outside of limits of the user , common access control vulnerabilities   include :

* Bypassing access Control checks by modifying the URL , internal application state , or the HTML page  , or simply using Custom API 

attack tool .

* Allowing the primary key to be changed to another users record , permitting viewing  or editing someone else's account .

* Elevation of privilege acting as a user without being logged in or acting as an admin when logged in as a user .

Example scenario :

The application uses unverified data in a SQL call that is accessing account information :

pstmt.setSring(1.request.getParameter("acct"));

An attacker simply modifies the 'acct' parameter in the browser to send another account number they want . if not properly verified , the attacker can access any users account .

http://exmaple.com/app/accountinfo?acct=notmyaccount