Although authorization sounds similar to authentication and a relationship between the two exists, they are not the same and play a different role in the data security process.
In 2021, Broken Access Control moved up from the fifth to the first position in the OWASP Top 10. Besides, I did report some serious vulnerabilities to SaaS companies regarding unhandled authorization in the last months.
That's why it is important to know the difference between the two and what else to take care of to protect resources and information from being read or altered by third parties which should be prevented from doing so in order to secure web applications.
Authentication is the process of how an application verifies the identity of a user or system. In this step, a user proofs that he or she is who they claim to be.
Who are you?
Common methods of authentication often involve a set of credentials like a username and password, an API token, a session token, a JWT or a certificate. For a strong identity and access management, multi-factor authentication (MFA) should be considered to be implemented instead of relying on a single factor. This could prevent third parties from being able to login due to compromised login information or weak passwords being used.
The authorization process controls what an authenticated user or system is allowed to do. It is a security mechanism which manages the access for users and systems to specific resources, actions and application features. It grants or denies the access based on their roles, groups, permissions and privileges.
What are you allowed to do?
For example, while a user can be authenticated to a platform, the user is not authorized to edit the settings of another user.
A strong authorization and separation can contain the damage of credential theft by limiting the permissions to the minimum necessary a user or system needs to perform its tasks.
Here you can find a list of the most common concepts or mistakes I have seen in the wild. Of course, this list is not complete and may be extended in the future.
The principle of the least privilege (PoLP) describes that a user or system should only be granted the permissions they need to accomplish their duties and all other permissions should be removed by default.
Deny by default follows the more restrictive approach that all actions are prohibited unless explicitly authorized.
When not handled correct, modifying the URL allows an attacker to access unauthorized resources or cause unhandled or unknown side effects in a system.
For example, when a system solely relies on secretiveness of random generated strings or UUIDs in URLs, they can be made public available at a later time of the development process and will not be secret any longer.
Another example would be to alter a specific parameter in the URL to get information which should not be available. For instance, a parameter upcomingDays should handle how many days in the future a list could show data. What happens when an attacker enters a negative number?
Always run authorization checks
Prevention techniques:
GraphQL creates its own challenges regarding security: In GraphQL, you do not secure an endpoint, but you must carefully protect all queries, properties and mutations. Also think about disabling the introspection query on your production system since it allows an attacker to have insights in your system.
Just in case you did not follow my recommendations closely :)
As a software developer, taking care of the authentication and authorization process with a lot of accuracy is one of the fundamental challenges in order to secure a web application.
However, this is not something that is done once. It is a continuous process to take care of by the whole team in order to not open up security holes by adding new features or changing old ones.
Since the Broken Access Control is not the only security risk, developers should closely follow The Open Worldwide Application Security Project Top 10 to learn about the most common vulnerabilities in order to minimize security risks and to produce more secure code.
You should know what you are doing
Furthermore, with more and more code getting written by AI, there is a high chance that security will be neglected easily. At the end, it comes down to that You should know what you are doing.