This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Top 10 2013-A7-Missing Function Level Access Control

From OWASP
Revision as of 17:06, 17 February 2013 by Neil Smithline (talk | contribs)

Jump to: navigation, search

NOTE: THIS IS NOT THE LATEST VERSION. Please visit the OWASP Top 10 project page to find the latest edition.

[[Top 10 {{{year}}}-Sensitive Data Exposure|← Sensitive Data Exposure]]
[[Top 10 {{{year}}}-Table of Contents | {{{year}}} Table of Contents]]

[[Top_10_{{{year}}}-Top 10|{{{year}}} Top 10 List]]

[[Top 10 {{{year}}}-Cross-Site Request Forgery (CSRF)|Cross-Site Request Forgery (CSRF) →]]
Threat Agents Attack Vectors Security Weakness Technical Impacts Business Impacts
Application Specific Exploitability
EASY		 Prevalence
COMMON		 Detectability
AVERAGE		 Impact
MODERATE		 Application / Business Specific
Anyone with network access can send your application a request. Could anonymous users access private functionality or regular users a privileged function? . Attacker, who is an authorized system user, simply changes the URL or a parameter to a privileged function. Is access granted? Anonymous users could access private functions that aren’t protected. Applications do not always protect application functions properly. Sometimes, function level protection is managed via configuration, and the system is misconfigured. Sometimes, developers must include the proper code checks, and they forget.

Detecting such flaws is easy. The hardest part is identifying which pages (URLs) or functions exist to attack.

Such flaws allow attackers to access unauthorized functionality. Administrative functions are key targets for this type of attack. Consider the business value of the exposed functions and the data they process.

Also consider the impact to your reputation if this vulnerability became public.

Am I Vulnerable To 'Missing Function Level Access Control'?

blank

How Do I Prevent 'Missing Function Level Access Control'?

blank

  1. blankBullet1
  2. blankBullet2
Example Attack Scenarios

blank

blank code

blank

http://example.com/app/accountView?id=' or '1'='1

blank

References

OWASP

External

[[Top 10 {{{year}}}-Sensitive Data Exposure|← Sensitive Data Exposure]]
[[Top 10 {{{year}}}-Table of Contents | {{{year}}} Table of Contents]]

[[Top_10_{{{year}}}-Top 10|{{{year}}} Top 10 List]]

[[Top 10 {{{year}}}-Cross-Site Request Forgery (CSRF)|Cross-Site Request Forgery (CSRF) →]]
© 2002-2013 OWASP Foundation This document is licensed under the Creative Commons Attribution-ShareAlike 3.0 license. Some rights reserved. CC-by-sa-3 0-88x31.png
[[Category:OWASP Top Ten {{{year}}} Project]]
Retrieved from "https://wiki.owasp.org/index.php?title=Top_10_2013-A7-Missing_Function_Level_Access_Control&oldid=144749"