Wednesday, May 22, 2024

A7 Missing Function Level Access Control

Function Level Access Control can be exploited easily, if there is an missing access control on resource control, exploiting the risk is simple as plugging the URL in browser. Privelance is very common, whereas the detect-ability ratio is Average and impact is Moderate.


Let’s imagine this user is Authenticated as admin, so he making an Authenticated request to the server, and once the server responds this user will have a navigation link in browser for admin. Now if the attacker requested the admin, unfortunately sometimes websites itself return the admin page.

So why it’s the missing function of access level, this is the specific case OWASP talks about. Within the presentation layer only security trimming in place, however the resource behind the link have no access controls.

Understanding missing function Level access controls
  • Does the UI show navigation to unauthorized functions?
  • Are server side Authentication or authorization tokens missing?
  • Are the server side check done solely rely on information provided by the attacker?
  • A system or diagnostics resources accessible without proper authorization?
  • Will forced browsing disclose unsecured resources?
Common Defenses
  • Define a clear authorization model, centrally and consistently.
  • Use roles and then apply memberships.
  • Check for default framework and resources.
  • Check forced browsing with Automated scanners.
  • Capture and replay privileged requests.
  • Include post request and Async calls.

Latest articles

Hackers Claiming Access to Qatar National Bank Database

A group of hackers has claimed to have accessed the database of Qatar National...

Cloud-Based Malware Attack Abusing Google Drive & Dropbox

A phishing email with a malicious zip attachment initiates the attack. The zip contains...

OmniVision Technologies Cyber Attack, Hackers Stolen Personal Data in Ransomware Attack

OmniVision Technologies, Inc. (OVT) recently disclosed a significant security breach that compromised its clients'...

Critical Flaw In Confluence Server Let Attackers Execute Arbitrary Code

The widely used team workspace corporate wiki Confluence has been discovered to have a...

Threat Actors Leverage Bitbucket Artifacts to Breach AWS Accounts

In a recent investigation into Amazon Web Services (AWS) security breaches, Mandiant uncovered a...

Hackers Breached Western Sydney University Microsoft 365 & Sharepoint Environments

Western Sydney University has informed approximately 7,500 individuals today of an unauthorized access incident...

Memcyco Report Reveals Only 6% Of Brands Can Protect Their Customers From Digital Impersonation Fraud

Memcyco Inc., provider of digital trust technology designed to protect companies and their customers...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles