Missing Function Level Access Control OWASP 2013

Most of the web applications will verify function level access rights before making the functionality visible in the user interface. The applications are also needed to perform the same access control checks on the server when each of the functions are accessed. If the requests are not verified an attackers can forge requests in order to access the functionality without any proper authorization.


An attacker force browses to target URLs. Admin rights mandatory for access to the admin page.



If an unauthenticated user can access either of the pages it’s a flaw. If a non-admin can access the admin page that is also a flaw.


Missing Function Level Access Control can allow attackers to access some unauthorized functionality. Administrative functions are main target of this type of attack.

Mitigation / Precaution

  • Use a central application component to verify access control.

  • Drive all the access control decisions from a lower privileged user’s session,

Related Articles