Skip navigation to main content

OWASP : Missing Function Level Access Control

Security specialist Jonathan Jenkyn continues his posts with a focus on OWASP; this post covers Missing Function Level Access Control.

This is the seventh in a series of posts on the OWASP Top Ten. And it's going to be a very short post.

Not because I've got Christmas shopping still to do, and not because it's really not a very important vulnerability.

Actually, I do still have Christmas shopping to complete, but the point is this really is a very simple vulnerability to explain and fix.

I am groot!

Let's imagine we build a web site that has several sections;

  1. Pages available to unauthenticated users
  2. Pages available only to logged in users
  3. Pages available only to logged in administrators


This is the case for lots of web sites I can think of i.e. a single web site offers a different user experience based on your authentication to the site. Even this site has a login page which I use to edit my posts, but there are other users who have more permissive rights on the system, all the way up to the administrator. I don't need those rights to do my work, and so I don't have them on this system.

This risk though is dead simple; When accessing those pages or functions, the authentication required for that page or function is not checked.

So in our example above;

  • if as an unauthenticated user I can access (2) or (3), the web site fails the test.
  • If as an authenticated user I can access (3), the web site fails the test.

When I say "access", I mean "type in the URL", or otherwise force my access to the page. Not displaying the link on a page, or obfuscating it somewhere is not sufficient to prevent an attacker from discovering the pages exist. ("Security by Obscurity" is not security)

Hire a lazy developer to fix this

As a programmer fixing this means doing a little bit of additional leg work up-front, but by using an input data sanitisation pattern it's honestly much easier (JJ's Tip of the Day: Use a database to store user-level function access requirements).

This is another case of making sure your developers are the right type of lazy. Lazy enough to want to reuse code from elsewhere, but not lazy enough to not bother at all!

Now to find a ghastly pair of socks for my dad!

Next time: Cross-Site Request Forgery (CSRF)

Join the conversation on Twitter@OWASP   #OWASPtop10   #missingaccesscontrol