Missing Function Level Access Control OWASP 2013

Most of the web applications will verify function level access rights before making the functionality visible in the user interface. The applications are also needed to perform the same access control checks on the server when each of the functions are accessed. If the requests are not verified an attackers can forge requests in order to access the functionality without any proper authorization.

Example

An attacker force browses to target URLs. Admin rights mandatory for access to the admin page.

        http://example.com/app/app_image
        
        http://example.com/app/admin_Page

    

If an unauthenticated user can access either of the pages it’s a flaw. If a non-admin can access the admin page that is also a flaw.

Impact

Missing Function Level Access Control can allow attackers to access some unauthorized functionality. Administrative functions are main target of this type of attack.

Mitigation / Precaution

  • Use a central application component to verify access control.

  • Drive all the access control decisions from a lower privileged user’s session,

Related Articles