Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification or destruction of all data, or performing a business function outside of the limits of the user. Common access control vulnerabilities include:
The application uses unverified data in a SQL call that is accessing account information:
pstmt.setString(1, request.getParameter("acct")); ResultSet results = pstmt.executeQuery();
An attacker simply modifies the acct
parameter in the browser to send whatever account number they want. If not properly verified, the attacker can access any user's account.
http://example.com/app/accountInfo?acct=notmyacct
Admin rights are required for access to the admin page.
http://example.com/app/getappInfo http://example.com/app/admin_getappInfo
If an unauthenticated user can access either page, it’s a flaw. If a non-admin can access the admin page, this is a flaw.
Access control is only effective if enforced in trusted server-side code or server-less API, where the attacker cannot modify the access control check or metadata.
The information flow control system implemented by Hdiv allows control of the resources (links and forms) exposed by the application, and prevents breaking the original contract from the server. In other words, even when the programmer does not use access control systems or ACL (Java EE or Spring Security) Hdiv is able to know which resource is legally accessible by each user.
Risk Covered
Hdiv flow control prevents any client attempt to break the server contract.