Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification or destruction of all data, or performing a business function outside of the limits of the user. Common access control vulnerabilities include:
The application uses unverified data in a SQL call that is accessing account information:
pstmt.setString(1, request.getParameter("acct")); ResultSet results = pstmt.executeQuery();
An attacker simply modifies the
acct parameter in the browser to send whatever account number they want. If not properly verified, the attacker can access any user's account.
Admin rights are required for access to the admin page.
If an unauthenticated user can access either page, it’s a flaw. If a non-admin can access the admin page, this is a flaw.