| Details | |
|---|---|
| Alert ID | 10102 |
| Alert Type | Tool |
| Status | alpha |
| Risk | High |
| CWE | 205 |
| WASC | 2 |
| Technologies Targeted | All |
| Tags |
CWE-205 OWASP_2017_A05 OWASP_2021_A01 |
| More Info |
Scan Rule Help |
Summary
Insufficient Authorization results when an application does not perform adequate authorization checks to ensure that the user is performing a function or accessing data in a manner consistent with the security policy. Authorization procedures should enforce what a user, service or application is permitted to do. When a user is authenticated to a web site, it does not necessarily mean that the user should have full access to all content and functionality.
Insufficient Function Authorization
Many applications grant different application functionality to different users. A news site will allows users to view news stories, but not publish them. An accounting system will have different permissions for an Accounts Payable clerk and an Accounts Receivable clerk. Insufficient Function Authorization happens when an application does not prevent users from accessing application functionality in violation of security policy.
A very visible example was the 2005 hack of the Harvard Business School’s application process. An authorization failure allowed users to view their own data when they should not have been allowed to access that part of the web site.
Insufficient Data Authorization
Many applications expose underlying data identifiers in a URL. For example, when accessing a medical record on a system one might have a URL such as:
https://example.com/RecordView?id=12345
If the application does not check that the authenticated user ID has read rights, then it could display data to the user that the user should not see.
Insufficient Data Authorization is more common than Insufficient Function Authorization because programmers generally have complete knowledge of application functionality, but do not always have a complete mapping of all data that the application will access. Programmers often have tight control over function authorization mechanisms, but rely on other systems such as databases to perform data authorization.
Solution
Phases: Architecture and Design; Operation Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software. Phase: Architecture and Design Ensure that appropriate compartmentalization is built into the system design and that the compartmentalization serves to allow for and further reinforce privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide when it is appropriate to use and to drop system privileges.Other Info
Accessed as user: username Request detected as authorized: false. The defined access rule for resource is that access should be: Allowed.References
- https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html
- https://cwe.mitre.org/data/definitions/284.html
- https://cwe.mitre.org/data/definitions/285.html