Missing function level access control vulnerabilities occur when the application does not perform access control checks when executing sensitive operations. For example, if the application doesn't check whether a user may change other user’s passwords, an attacker will be able to change the passwords of other user accounts.
All application types are affected by missing function-level access control vulnerabilities.
The impact of missing function level access control vulnerabilities depends on the nature of the functions that don't have sufficient access controls. The more powerful the function, the greater the potential for abuse. This is most dangerous if administrative functions are missing access controls – the attacker might take over the application, compromise all application data, and execute arbitrary code on the server.
To prevent missing function level access control vulnerabilities, perform access control checks for all sensitive operations.
To make sure that missing function level access control vulnerabilities are prevented, verify that access control checks are performed for all sensitive operations.