HIGH broken access controlcassandra

Broken Access Control in Cassandra

Scan your API now

How Broken Access Control Manifests in Cassandra

Broken Access Control in Cassandra typically stems from misconfigured role‑based access control (RBAC) or from application code that trusts user‑supplied input when constructing CQL statements. When authentication is disabled or when overly permissive roles are granted, an attacker can read, modify, or delete data without authorization.

  • Excessive role permissions: Granting ALL permissions on a keyspace to the public role or to a generic service account gives any authenticated user full control. Example of a misconfiguration:
-- Dangerous: gives everyone full access
GRANT ALL ON KEYSPACE myapp TO public;
  • Disabled authentication: If the authenticator setting in cassandra.yaml is left at org.apache.cassandra.auth.AllowAllAuthenticator, anyone who can reach the TCP port (9042) can connect without credentials.
  • Injection‑style access bypass: Building CQL strings by concatenating user input can let an attacker alter the intended query. For instance, a Java method that appends a user‑supplied ID directly:
    • // Vulnerable: string concatenation opens the door to unauthorized reads
String cql = "SELECT * FROM users WHERE user_id = '" + userId + "';";
Session session = cluster.connect();
ResultSet rs = session.execute(cql);

    An attacker could supply userId = ' OR '1'='1 to retrieve every row, bypassing any application‑level checks. Similar techniques can be used to issue INSERT, UPDATE, or DROP statements if the associated role has write permissions.

    These patterns map directly to the OWASP API Security Top 10 item Broken Object Level Authorization (BOLA) and the broader Broken Access Control category. Real‑world incidents, such as CVE‑2019‑10099 (authentication bypass in Apache Cassandra), illustrate how weak access controls can be exploited at the protocol level.

    Cassandra‑Specific Detection — Including middleBrick

    middleBrick performs unauthenticated, black‑box scanning of the API surface that fronts a Cassandra cluster (e.g., REST/GraphQL wrappers, gRPC services, or direct native protocol endpoints). Because it does not require agents or credentials, it can discover misconfigurations that would be invisible to internal scanners.

    • Authentication probing attempts to connect to the Cassandra native port (9042) using the AllowAllAuthenticator handshake. If the server responds with a successful READY frame without requesting credentials, the scanner flags the endpoint as No authentication required.
    • Role‑privilege enumeration: After establishing a session (whether authenticated with a default credential or anonymously if allowed), middleBrick issues a series of read‑only CQL statements against system tables such as system.role_permissions and system_schema.keyspaces. Successful retrieval of permission rows indicates that the connected role has at least DESCRIBE visibility, which often correlates with excessive grants.
    • Write‑access testing: The scanner tries a benign INSERT into a test table (if one exists) or attempts to create a temporary table. If the operation succeeds, the finding is reported as Unauthorized write capability with severity high.
    • Injection detection: By sending payloads like ' OR 1=1-- in user‑controlled parameters of the front‑end API, middleBrick watches for changes in response size, status codes, or error messages that indicate the payload altered the executed CQL. Positive results are logged as Potential CQL injection leading to access bypass.

    All checks run in parallel and complete within the advertised 5‑15 second window. Findings are presented with a CVSS‑based severity, a short description, and remediation guidance that references Cassandra’s native features.

    Cassandra‑Specific Remediation — Using Native Features

    Fixing broken access control in Cassandra involves three layers: protocol‑level authentication, least‑privilege role design, and safe query construction in application code.

    • Enable authentication and encryption: Set authenticator: PasswordAuthenticator and authorizer: CassandraAuthorizer in cassandra.yaml. Then restart the node. Additionally, enable client‑to‑node encryption (server_encryption_options) to prevent credential sniffing.
    • Create minimal‑privilege roles: Avoid granting ALL or assigning permissions to the public role. Instead, define a role per service or microservice and grant only the needed operations on the specific keyspaces and tables.
    -- Create a role for the inventory service
CREATE ROLE inventory_service WITH PASSWORD = 'Str0ngP@ss!' AND LOGIN = true;
-- Grant only read/write on the tables it needs
GRANT SELECT, MODIFY ON KEYSPACE inventory TO inventory_service;
GRANT SELECT ON KEYSPACE system_schema TO inventory_service;  -- optional for metadata
  • Use prepared statements (or query builders): Never concatenate user input into CQL. The Java driver (and equivalent drivers for other languages) supports prepared statements that automatically handle escaping.
    • // Safe: prepared statement with bound variable
PreparedStatement ps = session.prepare(
    "SELECT * FROM users WHERE user_id = ?");
BoundStatement bs = ps.bind(userId);
ResultSet rs = session.execute(bs);
  • Validate and sanitize at the API layer: Even with prepared statements, enforce strict input validation (e.g., UUID format, length limits) before passing values to the driver. Return a 400 error for malformed data.
  • Monitor and audit: Enable Cassandra’s audit logging (audit_logging_options) to capture authentication attempts and CQL statements. Periodically review the logs for unexpected SELECT or MODIFY actions from roles that should not have them.

    • By combining these measures — turning on strong authentication, applying the principle of least privilege via Cassandra’s RBAC, and using parameterized queries — you eliminate the most common vectors for broken access control in Cassandra environments.

    Scan your API now Free API security scan

    Frequently Asked Questions

    Does middleBrick need any credentials or agents to scan a Cassandra‑backed API?
    No. middleBrick works purely from the outside: you provide the public URL (or host:port) of the service, and it performs unauthenticated black‑box checks. No agents, agents, or API keys are required.
    If I enable PasswordAuthenticator in Cassandra, will my existing applications stop working?
    Only if they currently rely on the default AllowAllAuthenticator. After switching to PasswordAuthenticator, you must create a role with the appropriate password and update your application’s connection settings to supply those credentials. Test in a staging environment first.

    Related Pages

    Broken Access Control in APIsLearn about broken access control vulnerabilities in APIs, how attackers exploit authorization flaws, and concrete preveCassandra API SecurityLearn how to secure Cassandra-backed APIs against injection attacks and data exposure. Discover Cassandra-specific vulneBroken Access Control on AzureBroken Access Control on AzureBroken Access Control on AwsLearn how broken access control manifests in Aws applications, from IAM role vulnerabilities to cross-account access issBroken Access Control with Basic AuthLearn how Broken Access Control manifests in Basic Auth systems, how to detect it with automated scanning, and implementBroken Access Control with Api KeysLearn how broken access control manifests in API keys through IDOR vulnerabilities, missing authorization checks, and prBroken Access Control with Bearer TokensLearn how Broken Access Control vulnerabilities manifest in Bearer Token implementations, how to detect them with automaBroken Access Control with Hmac SignaturesLearn how broken access control manifests in HMAC signature systems, from timestamp manipulation to missing authorizatioGdpr: Broken Access ControlLearn how GDPR violations stem from Broken Access Control in APIs, with detection methods and code-specific remediation Iso 27001: Broken Access ControlLearn how ISO 27001 applies to Broken Access Control, including attack patterns, detection methods, and code-level remedCis: Broken Access ControlLearn how Confidentiality, Integrity, and Availability (Cis) relate to Broken Access Control in APIs, with real attack pHipaa: Broken Access ControlLearn how HIPAA requirements intersect with Broken Access Control in healthcare APIs, including attack patterns, detecti