Access Control Issue - Improper Authorization
- Risk:
High
- Type:
- Tool
- CWE:
- CWE-205
- Summary
Insufficient Authorization results when an application does not perform adequate authorization checks to ensure that the user is performing a function or accessing data in a manner consistent with the security policy. Authorization procedures should enforce what a user, service or application is permitted to do. When a user is authenticated to a web site, it does not necessarily mean that the user should have full access to all content and functionality.Insufficient Function AuthorizationMany applications grant different application functionality to different users. A news site will allows users to view news stories, but not publish them. An accounting system will have different permissions for an Accounts Payable clerk and an Accounts Receivable clerk. Insufficient Function Authorization happens when an application does not prevent users from accessing application functionality in violation of security policy.A very visible example was the 2005 hack of the Harvard Business School’s application process. An authorization failure allowed users to view their own data when they should not have been allowed to access that part of the web site.Insufficient Data AuthorizationMany applications expose underlying data identifiers in a URL. For example, when accessing a medical record on a system one might have a URL such as:https://example.com/RecordView?id=12345If the application does not check that the authenticated user ID has read rights, then it could display data to the user that the user should not see.Insufficient Data Authorization is more common than Insufficient Function Authorization because programmers generally have complete knowledge of application functionality, but do not always have a complete mapping of all data that the application will access. Programmers often have tight control over function authorization mechanisms, but rely on other systems such as databases to perform data authorization.
- Solution
Phases: Architecture and Design; Operation Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software. Phase: Architecture and Design Ensure that appropriate compartmentalization is built into the system design and that the compartmentalization serves to allow for and further reinforce privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide when it is appropriate to use and to drop system privileges.
- Other info
- Accessed as user: username Request detected as authorized: false. The defined access rule for resource is that access should be: Allowed.
- References
https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html
New .NET CAPI Backdoor Targets Russian Auto and E-Commerce Firms via Phishing ZIPs
Silver Fox Expands Winos 4.0 Attacks to Japan and Malaysia via HoldingHands RAT
American Airlines subsidiary Envoy confirms Oracle data theft attack
Microsoft lifts more safeguard holds blocking Windows 11 updates
Europol dismantles SIM box operation renting numbers for cybercrime
Microsoft fixes Windows bug breaking localhost HTTP connections
North Korean Hackers Combine BeaverTail and OtterCookie into Advanced JS Malware
CVE-2021-43226 Microsoft Windows Privilege Escalation Vulnerability
CVE-2025-59230 Microsoft Windows Improper Access Control Vulnerability
CVE-2016-7836 SKYSEA Client View Improper Authentication Vulnerability
CVE-2013-3918 Microsoft Windows Out-of-Bounds Write Vulnerability
CVE-2017-3881 Cisco IOS and IOS XE Remote Code Execution Vulnerability
CVE-2025-6264 Rapid7 Velociraptor Incorrect Default Permissions Vulnerability
CVE-2011-3402 Microsoft Windows Remote Code Execution Vulnerability
CVE-2023-50224 TP-Link TL-WR841N Authentication Bypass by Spoofing Vulnerability
CVE-2007-0671 Microsoft Office Excel Remote Code Execution Vulnerability
Free online web security scanner