Insufficient authorization vulnerabilities occur when the application allows a user to perform an action without checking if the user has sufficient privileges to carry it out. This allows attackers to carry out actions that the designers of the application did not intend for them to be able to do. For example, if privileges are not checked properly, an attacker with an unprivileged account might be able to upload files to the server, even if the application should not allow that by design.
All applications are affected by insufficient authorization vulnerabilities.
The impact of an insufficient authorization vulnerability depends on the action that the attacker is able to perform. Essentially, the attacker will be able to do whatever the application does not prevent them from doing. The attacker will usually attempt to take full control of the application by injecting malicious code into the application code or data, or by taking over user accounts.
One of the most common and serious types of insufficient authorization vulnerabilities is when an application allows unauthorized users to upload arbitrary files. In this scenario, an attacker is able to upload malicious code to the server and execute arbitrary code on the server with the privileges of the affected application. This compromises all application data, and results in the ability to abuse the application to attack its users, and use the server as a part of a botnet.
Another common type of insufficient authorization vulnerability is when the application fails to sufficiently protect account management functions. This allows an attacker to change account details, take over accounts, and do anything that the compromised accounts can do.
A less serious example of insufficient authorization is when valuable data can be accessed by underprivileged users. For example, an unauthenticated attacker might be able to download sensitive documents from a corporate server, or a person might be able to download music from a commercial site without paying.
Other types of insufficient authorization vulnerabilities exist. They tend to be specific to the particular applications and operations that are not sufficiently protected by authorization controls.
To prevent insufficient authorization vulnerabilities, check access control permissions before performing any sensitive operations and use role-based authorization.
To make sure that insufficient authorization vulnerabilities are prevented, verify that access control permissions are checked for all sensitive operations and that role-based authorization is used.
Computer Based Training Links
Use the following Computer Based Training course(s) for more background information about this type of vulnerabilities.
OWASP Top Threats & Mitigations
This course examines in depth the vulnerabilities, threats, and mitigations described in the OWASP Top 10 2013. Upon completion of this class, participants will be able to identify and mitigate the greatest threats that web application developers face, including: Injection, Broken Authentication and Session Management, Cross-Site Scripting (XSS), Insecure Direct Object References, Security Misconfiguration, Sensitive Data Exposure, Missing Function Level Access Control, Cross-Site Request Forgery (CSRF), Using Components with Known Vulnerabilities, and Unvalidated Redirects and Forwards.
Valid login credentials and enrollment in the course itself are required to access Team Professor content. If you need login credentials, please contact firstname.lastname@example.org for help.