Difference between revisions of "Top 10 2013-A7-Missing Function Level Access Control"

From OWASP
Jump to: navigation, search
Line 1: Line 1:
= TEMPORARY PLACEHOLDER for 2013 T10 =
 
 
{{Top_10_2013:TopTemplate
 
{{Top_10_2013:TopTemplate
 
     |usenext=2013NextLink
 
     |usenext=2013NextLink
Line 15: Line 14:
 
{{Top_10_2010:SummaryTableValue-2-Template|Prevalence|COMMON}}
 
{{Top_10_2010:SummaryTableValue-2-Template|Prevalence|COMMON}}
 
{{Top_10_2010:SummaryTableValue-2-Template|Detectability|AVERAGE}}
 
{{Top_10_2010:SummaryTableValue-2-Template|Detectability|AVERAGE}}
{{Top_10_2010:SummaryTableValue-1-Template|Impact|SEVERE}}
+
{{Top_10_2010:SummaryTableValue-2-Template|Impact|MODERATE}}
 
{{Top_10_2010:SummaryTableHeaderEndTemplate}}
 
{{Top_10_2010:SummaryTableHeaderEndTemplate}}
     <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>blank.</td>
+
     <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Anyone with network access can send your application a request. Could anonymous users access private functionality or regular users a privileged function?
     <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>blank</td>
+
.</td>
     <td colspan=2  {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>blank</td>
+
     <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Attacker, who is an authorized system user, simply changes the URL or a parameter to a privileged function. Is access granted? Anonymous users could access private functions that aren’t protected.
     <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>blank</td>
+
</td>
     <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>blank</td>
+
     <td colspan=2  {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Applications do not always protect application functions properly. Sometimes, function level protection is managed via configuration, and the system is misconfigured. Sometimes, developers must include the proper code checks, and they forget.
 +
 
 +
Detecting such flaws is easy. The hardest part is identifying which pages (URLs) or functions exist to attack.
 +
</td>
 +
     <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Such flaws allow attackers to access unauthorized functionality. Administrative functions are key targets for this type of attack.
 +
</td>
 +
     <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Consider the business value of the exposed functions and the data they process.
 +
 
 +
Also consider the impact to your reputation if this vulnerability became public.
 +
</td>
 
{{Top_10_2010:SummaryTableEndTemplate}}
 
{{Top_10_2010:SummaryTableEndTemplate}}
  

Revision as of 12:06, 17 February 2013

[[Top 10 {{{year}}}-Sensitive Data Exposure|← Sensitive Data Exposure]]
2013 Table of Contents

2013 Top 10 List

[[Top 10 {{{year}}}-Cross-Site Request Forgery (CSRF)|Cross-Site Request Forgery (CSRF) →]]
Threat Agents Attack Vectors Security Weakness Technical Impacts Business Impacts
Application Specific Exploitability
EASY
Prevalence
COMMON
Detectability
AVERAGE
Impact
MODERATE
Application / Business Specific
Anyone with network access can send your application a request. Could anonymous users access private functionality or regular users a privileged function? . Attacker, who is an authorized system user, simply changes the URL or a parameter to a privileged function. Is access granted? Anonymous users could access private functions that aren’t protected. Applications do not always protect application functions properly. Sometimes, function level protection is managed via configuration, and the system is misconfigured. Sometimes, developers must include the proper code checks, and they forget.

Detecting such flaws is easy. The hardest part is identifying which pages (URLs) or functions exist to attack.

Such flaws allow attackers to access unauthorized functionality. Administrative functions are key targets for this type of attack. Consider the business value of the exposed functions and the data they process.

Also consider the impact to your reputation if this vulnerability became public.

Am I Vulnerable To 'Missing Function Level Access Control'?

blank

How Do I Prevent 'Missing Function Level Access Control'?

blank

  1. blankBullet1
  2. blankBullet2
Example Attack Scenarios

blank

blank code

blank

http://example.com/app/accountView?id=' or '1'='1

blank

References

OWASP

External

[[Top 10 {{{year}}}-Sensitive Data Exposure|← Sensitive Data Exposure]]
2013 Table of Contents

2013 Top 10 List

[[Top 10 {{{year}}}-Cross-Site Request Forgery (CSRF)|Cross-Site Request Forgery (CSRF) →]]

© 2002-2013 OWASP Foundation This document is licensed under the Creative Commons Attribution-ShareAlike 3.0 license. Some rights reserved. CC-by-sa-3 0-88x31.png
[[Category:OWASP Top Ten {{{year}}} Project]]