Link Search Menu Expand Document

Broken Authorization in Java

Play SecureFlag Play Java Labs on this vulnerability with SecureFlag!

Vulnerable Examples

As example, the application uses unverified data in a method call downstream to retrieve account information, introducing an horizontal authorization bypass:

http://vulnerableapp.com/user/account?accountId=7865000321
statement.setString(1, request.getParameter("accountId"));

An attacker can modify the accountId parameter in the HTTP Request to retrieve the information from any user’s account.

Prevention

Spring

Spring Security supports authorization semantics at both web and method level. It is possible to restrict which roles are able to execute a particular method, and it’s a great way to enforce vertical authorization controls:

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity security) throws Exception {
        http
          .authorizeRequests()
          .antMatchers("/admin/**").hasRole("ROLE_ADMIN");
    }
    ...
}

Security Expressions can be used to secure business functionality at the method level as well by using annotations. The annotations @PreAuthorize and @PostAuthorize support Spring Expression Language (SpEL) and provide expression-based access control:

@Service
public class AdminService {
    @PreAuthorize("hasRole('ROLE_ADMIN')")
    public List<Organization> findAllOrganizations() { ... }
    ...
}

References

MITRE - CWE 285 - Improper Authorization

OWASP Top 10:2021 - Broken Access Control

OWASP - Access Control Cheat Sheet

Spring - Expression-Based Access Control