Most of the web applications will verify function level access rights before making the functionality visible in the user interface. The applications are also needed to perform the same access control checks on the server when each of the functions are accessed. If the requests are not verified an attackers can forge requests in order to access the functionality without any proper authorization.
Example
An attacker force browses to target URLs. Admin rights mandatory for access to the admin page.
http://example.com/app/app_image
http://example.com/app/admin_Page
If an unauthenticated user can access either of the pages it’s a flaw. If a non-admin can access the admin page that is also a flaw.
Impact
Missing Function Level Access Control can allow attackers to access some unauthorized functionality. Administrative functions are main target of this type of attack.
Mitigation / Precaution
Use a central application component to verify access control.
Drive all the access control decisions from a lower privileged user’s session,
