Broken Access Control vs Broken Authentication

January 19, 2022



While sometimes mistakenly used interchangeably, authentication and authorization represent fundamentally different functions. In simple terms, authentication is the process of verifying who a user is, while authorization is the process of verifying what they have access to.

We can begin by comparing authentication and authorization by asking who the user/client is and what they are allowed to do. Let’s see the figures below:

This picture explains differences between authentication and authorization.

We have talked about Broken Access Control and Broken Authentication in the previous posts in this blog series. In this blog post, we will compare both topics.

This picture explains differences between authentication and authorization.

Authentication is the process of verifying the identity of a given user or client. In other words, it involves making sure who they really are. On the other hand, authorization (or access control) is the process of verifying an entity's identity. When designing and developing a software solution, it is important to keep these distinctions in mind. A user who has been authenticated is often not authorized to access all the resources and perform all actions that are technically possible through a system. Additionally, authentication is not always required for accessing resources. An unauthenticated user may be authorized to access certain public resources, such as an image or login page, or even an entire web app. Moreover, access control design decisions have to be made by humans, not technology, resulting in a high potential for errors.

We can differentiate between the terms authentication and authorization by the following analogy:

  • Imagine that you are visiting your neighbor. First, you proceed to knock on the door and she looks through the peephole before opening it to avoid any unwanted guests. The act of her identifying you is a clear illustration of Authentication.
  • As you are not an unwanted guest, she opens the door and invites you in. Upon entering, you strike up a conversation and begin feeling comfortable. At this point, your neighbor welcomes you to sit on the sofa. The act of you getting in the house and sitting on the sofa are clear illustrations of Authorization.
  • Let’s assume that you ask to use her bathroom, and she leads you down the hall. This is an illustration to show that you are still Authorized.
  • Now, let’s assume that you experience an unbearable sense of hunger and decide to open her fridge and have a look, but she slams the door shut and says you are not allowed to open her fridge. This is a clear illustration of not being Authorized for an action.

The differences between Authentication and Authorization are summarized in the table below:

This table compares authentication and authorization.

Authentication and Authorization Techniques

1. Authentication Techniques

a. Password-Based Authentication

Passwords are the most commonly used authentication method. Passwords can be made of a combination of letters, numbers, special, uppercase, and lowercase characters. Creating strong passwords with a mix of all possible options is recommended for taking the best security measures.

b. Multi-Factor Authentication

This picture explains the MFA logic.

Multi-Factor Authentication (MFA) is a method of identifying a user that requires two or more independent methods. Codes generated by the user's smartphone, Captcha tests, fingerprints, voice biometrics, and facial recognition are some examples.

c. Certificate-Based Authentication

Certificate-based authentication technologies use digital certificates to identify users, machines, or devices. A digital certificate is a type of electronic document similar to a driver's license or a passport.

d. Biometric authentication

Biometric authentication is a security process that relies on an individual's unique biological characteristics.

  • Facial recognition: Matches an individual's different face characteristics to an approved face stored in a database. When comparing faces from different angles or comparing people who look similar, such as close relatives, face recognition can be inconsistent. Spoofing is prevented by facial liveness, such as ID R&D's passive facial liveness.
  • Fingerprint scanners: Compare the distinct patterns on a person's fingerprints. Some new fingerprint scanners can even detect vascular patterns in people's fingers. Despite their frequent inaccuracies, fingerprint scanners are currently the most popular biometric technology for everyday consumers. iPhones are to blame for this surge in popularity.
  • Speaker Recognition: Also known as voice biometrics examines a speaker's speech patterns to determine the formation of specific shapes and sound qualities. A voice-protected device, like a password, usually relies on standardized words to identify users.
  • Eye scanners: This category includes technologies such as iris recognition and retina scanners. Iris scanners shine a bright light into the eye to see if the pupil contracts and look for distinct patterns in the colored ring around the pupil. The patterns are then compared to approved data in a database. If a person wears glasses or contact lenses, eye-based authentication may be inaccurate.

e. Token-Based Authentication

Token-based authentication technologies allow users to enter their credentials only once and receive a unique encrypted string of random characters in return. You can then use the token to gain access to protected systems rather than entering your credentials again. The digital token verifies that you already have access. RESTful APIs used by multiple frameworks and clients are examples of token-based authentication use cases.

2. Authorization Techniques

a. HTTP Authorization

This method is used for authentication as well as authorization. To prove their authentication, a user simply enters a username and password. Since the HTTP header is leveraged, this method excludes cookies, session IDs, and login pages.

b. API Keys

This method is also employed in authentication and authorization. An API key is generated when users attempt to gain authorized access to the system during registration. It is now paired with a hidden token and sent with forwarding requests. When a user wishes to re-enter the program, their unique key is used to verify their identity.

c. HMAC Authorization

Hash-Based Message Authentication Code: Most APIs require users to sign into an API key to use the API. The API key is a long string that is typically included in the URL or request header. The API key is primarily used to identify the person who is calling the API. This method is used for authentication as well as authorization.

d. OAuth 2.0 Authorization

OAuth enables the API to authenticate and gain access to the desired system or resource. OAuth 2.0 is one of the most secure API authentication methods, as it supports both authentication and authorization.

e. JWT Authorization

This picture explains what JWT is.

JSON Web Token (JWT) is an open standard that allows for the secure transmission of data between parties. It is yet another secure method of identification that can be used for both authentication and authorization. JWT is frequently used for authorization and can be signed with either a secret or a public/private key pair.

f. SAML Authorization

This picture explains the SSO structure

Security Assurance Markup Language(SAML) is an XML-based authentication and authorization system that connects two entities: a service provider and an identity provider. SAML is a standard Single Sign-On (SSO) format in which authentication information is exchanged via digitally signed XML documents.

g. OpenID Authorization

OpenID Connect is an authentication layer built on top of OAuth 2.0, an authorization framework. It enables clients to validate an end-identity user's using an Authorization Server's authentication and to obtain interoperable and REST-like basic profile information about the end-user.

What Type of Vulnerabilities do Authentication and Authorization Include?

This picture explains vulnerable situations.

1. Broken Access Control

  • Bypasses access control checks by modifying the URL (parameter tampering or force browsing), internal application state, or the HTML page, or by using an attack tool modifying API requests.
  • Permits viewing or editing someone else's account, by providing its unique identifier (insecure direct object references)
  • Accesses API with missing access controls for POST, PUT, and DELETE.
  • Acts as a user without being logged in or acting as an admin when logged in as a user. (Elevation of privilege)
  • Metadata manipulation such as replay or tampering with a JSON Web Token (JWT) access control token or manipulates to escalate privileges or abuse JWT override.
  • CORS misconfiguration allows API access from unauthorized/untrusted origins.
  • Forces browsing to authenticated pages as an unauthenticated user or to privileged pages as a standard user.

 2. Broken Authentication

  • Permits automated attacks such as credential stuffing, where the attacker has a list of valid usernames and passwords.
  • Permits brute force or other automated attacks.
  • Permits default, weak, or well-known passwords, such as "Password1" or "admin/admin".
  • Uses weak or ineffective credential recovery and forgot-password processes, such as "knowledge-based answers," which cannot be made safe.
  • Uses plain text, encrypted, or weakly hashed passwords data stores.
  • Has missing or ineffective multi-factor authentication.
  • Exposes session identifier in the URL.
  • Reuses session identifier after successful login.
  • Does not correctly invalidate Session IDs. User sessions or authentication tokens (mainly single sign-on (SSO) tokens) aren't properly invalidated during logout or a period of inactivity.

Real-Life Attack Scenarios

1. Broken Access Control

Assume that a web platform has self-registration. When any user on this platform wants to reset their password, they receive a link and an OTP code via e-mail. After entering this OTP code on the link, they are redirected to the new password creation page. After entering the new password on this page, at the stage where it says to create a password, the e-mail and password are transmitted in the request. Assume that an attacker performs this reset process for himself and enters the OTP code and reaches the password reset page. At the same time, the attacker has a target mailing list. Here, he enters any password and changes the request e-mail address with one of the e-mails in this list. When he tries to log in with the e-mail address that he has set a new password, he successfully accesses the target user's account.

This picture explains a vulnerable scenario.

2. Broken Authentication

Assume that an attacker wants to enumerate all possible users on the A platform. He has a long target list. There is no rate limit on forgot password pages in this platform. In this case, an attacker can exploit this flaw and perform email bombing/spamming attacks.

Conclusion

To sum up, Authentication and Authorization are completely independent concepts, yet both are central to security design. Misperception of either can compromise security. Access to a resource is protected by both authentication and authorization. If you can't prove your identity, you won't be allowed access to a resource. Even if you can prove your identity, if you are not authorized for that resource, you will still be denied access. While they often seem to be used in an equivalent context, they are completely different from one another.

In this blog post, authentication and authorization topics were compared. We have provided detailed information about their differences, as well as the techniques and vulnerabilities they include. Also, we’ve talked about real-life attack scenarios about Broken Access Control and Broken Authentication.

Check out our Vulnerability Management and Penetration Testing services to stay secure!