Scribd
Upload
91 views

Missing Functional Level Access Control: OWASP Web App Top 10

An attacker could gain access to unauthorized functionality or resources if functional level access control is missing from a web application. Without proper authorization checks, an attacker could access administrative panels or view restricted data. This could allow theft of customer data, disruption of website operations, and loss of revenue and customers. To prevent this, all functions need role-based authorization implemented through centralized routines, denying access by default.

Uploaded by

erick
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
91 views

Missing Functional Level Access Control: OWASP Web App Top 10

An attacker could gain access to unauthorized functionality or resources if functional level access control is missing from a web application. Without proper authorization checks, an attacker could access administrative panels or view restricted data. This could allow theft of customer data, disruption of website operations, and loss of revenue and customers. To prevent this, all functions need role-based authorization implemented through centralized routines, denying access by default.

Uploaded by

erick
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

Missing Functional Level

Access Control
OWASP Web App Top 10
What is it?
“Missing Functional Level
Access Control” occurs
when users can perform
functions they have not
been authorized for or
when resources can be What causes it?
accessed by unauthorized
Functional level access control is
users.
missing when access checks have
not been implemented or when a
protection mechanism exists but is
not properly configured.
What could happen?
An attacker could forge requests
in order to access functionality
without proper authorization. An
attacker could gain access to the
administrative panel of your
application. An employee from the How to prevent it?
sales department could view
Protect all business functions using a role
information from the financial
based authorization mechanism, server
department.
side. Authorization should be
implemented using centralized
authorization routines. Deny access by
default.
Missing Functional Level Access Control
Understanding the security vulnerability

An attacker is an By either guessing or brute forcing He browses to this page


authenticated user of a site. URL’s he is eventually able to find and can access a status
He’s trying to gain elevated an unprotected administrative page. page that is only
access to the application. intended for
administrators to view.

https://site.com/app/priv_statuspag
e
https://site.com/app/adm_statuspage

https://site.com/app/admin_statuspage
Missing Functional Level Access Control
Understanding the security vulnerability

An attacker is an Knowing the framework, the Since the ‘createUser’ function The attacker logs in
authenticated user of attacker crafts a request to is not properly protected by using the credentials
a site. The site uses a create a new user with control checks, the request of the newly created
popular framework. elevated permissions. succeeds and a new user is admin user. He steals
created. all the customer data.

POST /action/createUser

name=attacker&pw=3GYT!6&role=admin

User ‘attacker’
created.
Login: attacker, password: 3GYT!6

Welcome ‘attacker’!
Missing Functional Level Access Control
Realizing the impact

Accounts could be taken over, including


privileged ones. With a stolen account, an
attacker could do anything the victim could do.

Sensitive end-user (customer) data could be stolen,


leading to reputational damage and revenue loss.

A stolen administrator account could lead to


disruption of the website, causing loss of customers
and revenue.
Missing Functional Level Access Control
Preventing the mistake

All business functions should be authorized.

Implement authorization using a role based mechanism.

Use centralized authorization routines.


Easy to use external modules.

Deny access by default.


see also “Least Privilege”.

Perform access control, server side.

You might also like