PortSwigger is a cool free resources for learning stuff. There is a learning path you can follow.

Access Control Vulnerabilities

Access Control is the application of constraints on who or what can attempt to do actions or access resources they've requested.

• insecure direct object reference
  • a vulnerability that allows an attacker to bypass authorization checks to access protected resources
  • occurs when a reference to an internal object, like a file or database key, is exposed through a link or parameter value. For example, hello.com/user?id=jon123
  • if no authorization check is in place, attackers can manipulate them to access unauthorized data
    • For example, replace the id with bob093 and access even though I am not bob but I know his username
    • without proper authorization, this is a leak
  • to prevent
    • use per user or per session indirect references instead
    • implement access control checks to make sure user is authorized for requested info
    • never rely on user-defined GET or POST parameters, cookies, or HTTP headers to authorize access to sensitive resources
    • always rely on server-side session information and use mapping values to access objects
    • all private pages should be protected using an authorization mechanism -- use centralized authorization routines
    • no two separate pieces fo code should verify if an account belongs to a certain user
• missing functional level access control
  • occurs when users can perform functions they are not authorized for or when resources can be accessed by unauthorized users
  • caused when access checks have not bee implemented or when a protection mechanism exists but is not properly configured
  • examples
    • forced browsing URLs -- a user is authenticated but guesses and brute forces URLs to access admin pages
    • site uses popular framework; authenticated user takes advantage of this knowledge and brute forces /createUser function to create a user
  • ramifications
    • accounts can be taken over, sensitive customer or company data stolen
  • prevention:
    • protect all business functions using a role-based authorization mechanism implemented on sever side
    • authorization should be applied using centralized routines either provided by framework or easy-to-use external modules
    • DENY by default
    • implement functional access control on server, never client
• using input from untrusted sources
  • occurs in apps that user input values to complete the authorization processes that determine what data users can access and manipulate
    • includes cookies, local storage, and hidden fields, input params, query params, etc
  • example
    • checking only whether a cookie exists
  • prevention
    • review any potential areas where an untrusted input could potentially enter the app
    • use a trusted framework in the app's architecture that prevents this weakness from occurring
    • if possible, try to avoid relying on any user input for authentication

More info: PortSwigger: Access Control Vulnerabilities and Privilege Escalation

Authentication vulnerabilities

• Username enumeration vulnerability
  • someone brute forces through multiple usernames on login form to find different error responses that will detect valid usernames. then person can focus on brute forcing through password.
  • prevention with strong authentication controls
    • strong password policy
    • securely hashed passwords, using unique salts
    • a generic message
    • account lock on too many failed login attempts (rate limiting)
    • a secure password recovery mechanism
    • a secure communication channel
• Forceful browsing vulnerability
  • occurs when access is allowed by default
  • most newer apps deny access by default so typically found in older apps
  • attackers can take advantage of typical URL patterns, links, etc. to find hidden web pages even without authentication
  • example:
    • attacker gains insight in product not yet released so attacker uses common naming conventions to find the hidden product page
  • prevention
    • ensure all relevant pages, routes, and endpoints require proper authentication and access checks
    • verify all endpoints, routes, and pages consistently follow business requirements rules
• Insufficient Anti-automation vulnerability
  • occurs when parts of the app such as login forms, polls, etc. can be triggered using automated scripting techniques and there are a lack of checks to determine whether attempts are done by a human user. without checks, we can't tell whether a request is done by a script or a human.
  • example:
    • some functionality only for authenticated users that has a login form without rate limiting. attacker can brute force in...
    • or, submitting many fake users, fake votes, etc.
  • prevention to verify human users
    • sophisticated CAPTCHA techniques. Some of these can still be bypassed by sophisticated bots, so be careful and choose a good implementation.
      • a mixture of distorted text in an image, a mathematical calculation, audio question, or logical puzzle
      • be careful also about accessibility

    • of consecutive requests from same source could be limited or use account lockouts to avoid brute forcing

More Info: PortSwigger: Authentication vulnerabilities