OWASP broken access control (noun) [Word Notes] - Hacking Humans

Summary4 min read

Hacking Humans: Episode on OWASP Broken Access Control

Host: N2K Networks
Episode Title: OWASP Broken Access Control (noun) [Word Notes]
Release Date: May 6, 2025
Description: Deception, influence, and social engineering in the world of cybercrime.

Introduction

In this episode of Hacking Humans, host Rick Howard delves into a critical aspect of cybersecurity: Broken Access Control, a top concern highlighted by the Open Web Application Security Project (OWASP). The discussion underscores the pervasive nature of this vulnerability and its implications for organizations striving to maintain robust security postures.

Understanding OWASP Broken Access Control

Nila Genoe takes center stage to unpack the concept of OWASP Broken Access Control. She begins by breaking down the term:

“Broken access control occurs when users can act outside of their intended permissions,” explains Nila (01:12). This means that software users gain access to data or functionalities that should be restricted, often circumventing established security protocols.

Historical Context and OWASP's Evolution

Nila provides a historical perspective on OWASP, tracing its origins back to 2003 when Dave Wickers and Jeff Williams identified major software security coding issues. This initiative eventually evolved into the OWASP Top 10, a seminal document outlining the most critical security risks for web applications. As of 2021, OWASP’s annual update places Broken Access Control at the number one position, a rise from the fifth spot in previous years, highlighting its increasing prevalence and severity.

“In 2021, OWASP published an updated list where broken access control jumped up from the fifth position to the number one spot,” Nila notes (01:45).

Prevalence and Impact

The statistics are stark:

94% of tested applications exhibited some form of Broken Access Control.
It remains the most frequently occurring issue among OWASP's categories.

Such high prevalence indicates that despite being a well-known vulnerability, Broken Access Control remains a persistent challenge for developers and security teams alike.

Types of Broken Access Control

Nila categorizes Broken Access Control into three main types:

Vertical Privilege Escalation: Gaining higher-level permissions than originally granted.
Horizontal Privilege Escalation: Accessing data or actions intended for peers with the same privilege level.
Context-Dependent Privilege Escalation: Exploiting specific conditions or contexts to bypass access controls.

Each type presents unique challenges and requires tailored mitigation strategies to effectively safeguard against unauthorized access.

Best Practices to Mitigate Broken Access Control

The Purple Box Website team recommends several best practices to minimize the risk of Broken Access Control:

Avoid Obfuscation and Hope: Relying on security through obscurity is inadequate. As Nila emphasizes, “Hope is not a plan; just because you don't understand it doesn't mean that the bad guys can't figure it out” (02:30).
Adopt a Zero Trust Approach: By default, deny all access and only grant permissions based on stringent identification and authorization processes.
Centralize Control Frameworks: Instead of disparate systems, implement a centralized access control framework to ensure consistency and ease of management.
Integrate DevSecOps Practices: Utilize infrastructure-as-code models to embed security into the development and deployment pipelines, ensuring continuous auditing and testing of access controls.

Real-World Illustration: Mr. Robot

To contextualize the concept, Nila references the popular TV series Mr. Robot. In Season 1, Episode 5, the protagonist Elliot employs various techniques to breach the New York City Department of Corrections' network, ultimately succeeding by exploiting Broken Access Control. By compromising a police officer's laptop and masquerading as a legitimate input device, Elliot gains unauthorized access to critical systems, enabling him to manipulate jail cell controls.

“And that is textbook Broken Access Control,” Nila concludes, highlighting the real-world applicability of the vulnerability (05:15).

This example underscores how Broken Access Control can be exploited to gain significant unauthorized advantages, emphasizing the need for robust access control mechanisms.

Insights and Recommendations

The episode reinforces the notion that Broken Access Control is not merely a technical issue but a fundamental flaw that can undermine an organization's entire security framework. Effective mitigation requires a comprehensive strategy encompassing policy, technology, and continuous monitoring.

Key takeaways include:

Prioritize Access Control Integrity: Ensure that permissions are correctly defined and enforced across all systems.
Embrace Automation and Centralization: Utilize tools and frameworks that provide visibility and control over access permissions.
Continuous Education and Awareness: Keep development and security teams informed about the latest threats and best practices related to access control.

Conclusion

Hacking Humans effectively highlights the critical importance of addressing Broken Access Control within the broader context of cybersecurity. By leveraging historical insights, practical examples, and expert recommendations, the episode serves as a valuable resource for organizations aiming to fortify their defenses against one of the most prevalent and impactful security vulnerabilities today.

Notable Quotes:

Nila Genoe (01:12): "Broken access control occurs when users can act outside of their intended permissions."
Nila Genoe (01:45): "In 2021, OWASP published an updated list where broken access control jumped up from the fifth position to the number one spot."
Nila Genoe (02:30): "Hope is not a plan; just because you don't understand it doesn't mean that the bad guys can't figure it out."
Nila Genoe (05:15): "And that is textbook Broken Access Control."

This summary was crafted based on the transcript provided, focusing on the core content delivered by Rick Howard and Nila Genoe while omitting advertisements, intros, and outros.

Loading summary

Transcript3 lines

[00:02]
Rick Howard
You're listening to the Cyberwire Network powered by N2K. What's the common denominator in security incidents? Escalations and lateral movement. When a privileged account is compromised, attackers can seize control of critical assets with bad directory hygiene and years of technical debt. Identity attack paths are easy targets for threat actors to exploit, but hard for defenders to detect. This poses risk in active directory, entra ID and hybrid configurations. Identity leaders are reducing such risks with attack path management. You can learn how attack path management is connecting identity and security teams while reducing risk with Bloodhound Enterprise powered by Spectrops. Head to Spectrops IO today to learn more Spectrops See your attack paths the way adversaries do.
[01:13]
Nila Genoe
The word is OWASP Broken access control spelled O for open, W for Web, A for application, S for security, P for project, Broken for failure access for permission and control for the power of restraint. Software users are allowed access to data or functionality contrary to the defined Zero trust policy by bypassing or manipulating the installed security control example sentence. Acting as a user without being logged in or acting as an admin when logged in is the result of broken access. Origin in Context Dave Wickers and Jeff Williams, working for Aspect Security, a software consultant company, published an education piece in 2003 on the top software security coding issues of the day that eventually turned into the OWASP Top 10, a reference document describing the most critical security concerns for web applications. Today, OWASP is an international team of security professionals led by the foundation executive director and top 10 project leader Andrew Vanderstock, and dedicated to enabling organizations to develop, purchase, and maintain applications and APIs that can be trusted. Today there are tens of thousands of members and hundreds of chapters worldwide. In 2021, OWASP published an updated list where broken access control jumped up from the fifth position to the number one spot. 94% of all the tested applications had some form of broken access control and had more occurrences than any other OWASP category. Broken access control occurs when users can act outside of their intended permissions. If zero trust is our stated strategy, and access controls are one of the tactics we use to pursue that strategy, then a broken access control is a failure in design and implementation. Broken access controls manifest in several vertical privilege escalation, horizontal privilege escalation, and context dependent privilege escalation. The Purple Box Website team recommends some common best practices designed to reduce the probability that your code will have a broken access control. First obfuscation as well as hope is not a plan just because you don't understand it doesn't mean that the bad guys can't figure it out. Second, as per the Zero Trust strategy, deny access to all by default and then only grudgingly allow access based on rigorous identification and authorization approvals. Third, centralize the control framework. Don't build one off systems for each component that you won't be able to remember a year from now. Drive everything through this centralized control framework and finally through a DevSecOps kind of model, through an infrastructure as code model. Thoroughly audit and test access controls to ensure they are working as designed Nerd Reference in season one, episode five of the Best Hacker TV Show Ever, Mr. Robot, Elliot, played by Rami Malek, has to break a thug out of the New York City's Department of Corrections in order to save his friend. He tries a couple of different techniques to compromise the jail's network. The first is having his sister Darlene, played by Carly Chaykin, drop infected USB drives around the jail's parking lot. He then tries scanning for unsecured wifi connections. And yes, I said wifi because I think it's funny. But he finally has success by compromising a laptop used by a policeman in Patrol Car 365. He spoofs the car's laptop to believing that Elliot's remote keyboard is the actual keyboard for the computer. He then uses the remote keyboard to connect to the jail's network via wifi and moves laterally inside the jail by searching for unsecured SCADA devices. Once found, he uploads malicious software via FTP designed to unlock all the cell doors in the jail when he pushes a button. And that is textbook broken access control. Why would a cop's laptop have access to skated devices that control the opening and closing of Jail Cell? Word Notes is written by Nila Genoe, executive produced by Peter Kilpe and edited by John Petrick and me, Rick Howard. The mix, sound, design and original music have all been crafted by the ridiculously talented Elliot Peltzman. Thanks for listening.
[06:57]
Rick Howard
And now a word from our sponsor, Black Kite. If third party risk is keeping you up at night, you're not alone. It's a constant battle. Black Kite's third party Cyber risk platform is built on real world threat intelligence straight from their research team's ongoing breach analysis, dark web monitoring and attacker tactics. That means you get a hacker's eye view of your supply chain to proactively spot risks. And speaking of research, they just dropped their 2025 third party breach report, breaking down last year's biggest trends and what's coming next. Grab the report now at www.blackkite.com.