Mitigating OWASP Web Application Risk: Broken Access Control using BIG-IP

Introduction:

 One of the most dangerous and widespread vulnerabilities today is Broken Access Control — ranked as the #1 threat in the OWASP Top 10 for 2021. This article explores what broken access control is, why it poses such a serious threat, and how BIG-IP can effectively mitigate this risk.

 

What is Broken Access Control?

Broken Access Control occurs when applications do not properly enforce permissions, allowing users to act outside their authorized privileges. In simple terms, it means users can gain access to things they shouldn't  like private data, administrative features, or actions reserved for higher roles.

Unlike authentication (verifying identity), access control is about what an authenticated user is allowed to do. When this is broken, the door is wide open for attackers.

Here are some common ways broken access control appears in web applications:

 

• Insecure Direct Object References:
  A user changes a URL from /domain/v1 to /domain/v2 and accesses someone else's data.

• Forced Browsing:
  An unauthenticated user manually navigates to a hidden or restricted URL, such as /admin/config.

• Privilege Escalation:
  A regular user alters their role in a request to become an administrator.

• Missing Access Checks:
  APIs or endpoints that don't verify the user's authorization status.

 

Why Is It So Dangerous?

The impact of broken access control can be severe, including:

• Sensitive information may be exposed or leaked.
• Attackers could alter or delete important data.
• An attacker could take full control of the system.
• Data exposure could result in GDPR violations.

 

Demonstration - Mitigating File Upload vulnerability using BIG-IP:

Let’s think about a situation where a file is considered malicious if it could hurt the server. This could be a PHP file with dangerous functions like exec(). These functions can run on the operating system and give an attacker remote control over the application server.

Imagine a web application with a file upload feature that only permits .jpeg files. If the application doesn't strictly enforce file type validation, attackers could bypass this restriction and upload harmful files with hidden extensions. This lack of proper access control can lead to broken access control vulnerabilities.

For demonstration purposes, this scenario uses DVWA (Damn Vulnerable Web Application) as a testing environment.

Please follow the link to deploy the DVWA application in Ubuntu.

Also, we need to add the DVWA application as a pool member to the BIGIP virtual server.

You can refer adding-pool-info document if you need any assistance.

 

BIG-IP WAF Policy Config Steps:

• Log into the BIG-IP console, go to Security > Application Security > Security Policies, and create a new application policy with the following configurations.
  
  Enforcement mode: Transparent
  Signature Staging: Enabled
  Virtual Server:  < Virtual server on which the endpoint (DVWA application) is accessible>
  

  Note: Staging is enabled by default when creating an application security policy, with a default staging period of 7 days. This can be adjusted based on the customer's needs. For more details about staging, refer to the Attack Signatures & Staging section.

• Now try to access the application through virtual server.
  
  

   

  
• Try to upload a PHP file through the “file upload” button and verify whether the application permits the upload. This could potentially allow an attacker to modify server files or corrupt data.

 

• Access the uploaded file’s URL to execute it. This could provide the attacker with control over the web server via the uploaded PHP shell, enabling them to read, modify, or delete files, manipulate databases, and alter application data.

   

  
• The corresponding logs can be found under the BIG-IP Advanced WAF event requests section.
  Note: Since the enforcement mode is set to transparent, the attack is detected and triggered with an "Alarm" action.
  
  
• We can mitigate this attack using BIG-IP WAF config by changing the enforcement mode to Blocking.

•  Now, try to upload the same php file using file upload button.

 

• As shown in the above screenshot, BIG-IP Advanced WAF was successfully able to detect the attack and blocked it too,  providing a support ID for reference.
  
  Let’s see the detailed log-in events => requests section.

 

Conclusion:

Broken access control is a critical yet often overlooked security risk that can result in data exposure, unauthorised actions, and severe organizational impact. Through this demonstration, we’ve seen how F5 BIG-IP provides effective mitigation by detecting and blocking unauthorized access attempts in real time. Its advanced traffic inspection, policy enforcement, and logging capabilities help ensure only real users can access protected resources. This gives organizations both security and peace of mind in managing web application threats.

 

Reference Links:

• OWASP Broken Access Control
• Mitigating broken access control