Missing Function Level Access Control



Description

Missing function level access control vulnerabilities occur when the application does not perform access control checks when executing sensitive operations. For example, if the application doesn't check whether a user may change other user’s passwords, an attacker will be able to change the passwords of other user accounts.

All application types are affected by missing function-level access control vulnerabilities.

Impact

The impact of missing function level access control vulnerabilities depends on the nature of the functions that don't have sufficient access controls. The more powerful the function, the greater the potential for abuse. This is most dangerous if administrative functions are missing access controls – the attacker might take over the application, compromise all application data, and execute arbitrary code on the server.

Countermeasures

To prevent missing function level access control vulnerabilities, perform access control checks for all sensitive operations.

Application Check

To make sure that missing function level access control vulnerabilities are prevented, verify that access control checks are performed for all sensitive operations.

!Have a comment about this article? Send our team an email.