Access control enforced by presentation layer

Revision as of 07:48, 24 March 2010 by Marcus Shockley (Talk | contribs)

Jump to: navigation, search
This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.

Last revision (mm/dd/yy): 03/24/2010

Vulnerabilities Table of Contents


Enforcing access control in the presentation layer means that the developer does not show buttons and links for functions and assets that are not authorized for the user. An attacker, however, is not constrained by the buttons and links presented, and can forge requests for those functions and assets. Forced browsing is one attack that targets this type of vulnerability.


  • Disclosure of unauthorized assets (confidentiality)
  • Invocation of unauthorized business functions (integrity)

Exposure period

  • Design phase


  • Languages: any
  • Operating platforms: any

Required resources

  • Generally requires a user login, although not always

Severity Very high -- can result in disclosure of sensitive information or the invocation of protected business functions.

Likelihood of exploit With the source code, this vulnerability is very likely

Avoidance and mitigation Access control must be performed in the business layer, not only the presentation layer.

Discussion This vulnerability is similar in some ways to Validation performed in client, as the same security checks are performed in two places. Doing validation in the business logic, like doing validation on the server, are critical to security. However, many web applications and web services only do access control in the presentation layer, allowing an attacker to easily access unprotected functions.

Rick Factors




//FIXME: JSP example of not showing a link


          //Incorrect usage example
          //example of using custom code to control access through the presentation
          //layer. This code creates a vulnerability, because the administration page
          //referenced in the href attribute is not protected, and a user could navigate 
          //to it directly.
          if (currentUser.Role == Role.Admin)
              Response.Write("<a href=\"#administrationlink\">Administration Menu</a>");

Related Attacks

Related Vulnerabilities

Related Controls

Related Technical Impacts