Top 10 2013-A7-Missing Function Level Access Control

From OWASP
Revision as of 12:06, 17 February 2013 by Neil Smithline (Talk | contribs)

Jump to: navigation, search
[[Top 10 {{{year}}}-Sensitive Data Exposure|← Sensitive Data Exposure]]
2013 Table of Contents

2013 Top 10 List

[[Top 10 {{{year}}}-Cross-Site Request Forgery (CSRF)|Cross-Site Request Forgery (CSRF) →]]
Threat Agents Attack Vectors Security Weakness Technical Impacts Business Impacts
Application Specific Exploitability
EASY
Prevalence
COMMON
Detectability
AVERAGE
Impact
MODERATE
Application / Business Specific
Anyone with network access can send your application a request. Could anonymous users access private functionality or regular users a privileged function? . Attacker, who is an authorized system user, simply changes the URL or a parameter to a privileged function. Is access granted? Anonymous users could access private functions that aren’t protected. Applications do not always protect application functions properly. Sometimes, function level protection is managed via configuration, and the system is misconfigured. Sometimes, developers must include the proper code checks, and they forget.

Detecting such flaws is easy. The hardest part is identifying which pages (URLs) or functions exist to attack.

Such flaws allow attackers to access unauthorized functionality. Administrative functions are key targets for this type of attack. Consider the business value of the exposed functions and the data they process.

Also consider the impact to your reputation if this vulnerability became public.

Am I Vulnerable To 'Missing Function Level Access Control'?

blank

How Do I Prevent 'Missing Function Level Access Control'?

blank

  1. blankBullet1
  2. blankBullet2
Example Attack Scenarios

blank

blank code

blank

http://example.com/app/accountView?id=' or '1'='1

blank

References

OWASP

External

[[Top 10 {{{year}}}-Sensitive Data Exposure|← Sensitive Data Exposure]]
2013 Table of Contents

2013 Top 10 List

[[Top 10 {{{year}}}-Cross-Site Request Forgery (CSRF)|Cross-Site Request Forgery (CSRF) →]]

© 2002-2013 OWASP Foundation This document is licensed under the Creative Commons Attribution-ShareAlike 3.0 license. Some rights reserved. CC-by-sa-3 0-88x31.png
[[Category:OWASP Top Ten {{{year}}} Project]]