Missing Function Level Access Control

OWASP Top 10 2013 - A7



UPDATE:

OWASP just updated the Top 10 list.
Check out this in-depth post to learn everything about the new OWASP Top 10 2021.

Discover OWASP Top 10 2021

What is Function Level Access Control?

Could result from insufficient protection of sensitive request handlers within an application:

  • Can a user directly browse to a resource?
  • Does the UI expose an unauthorized resource?

It can be anything from seemingly useless information to a full system takeover.


Function Level Access Control examples

Example #1: Force-Browsing the URL

  • Go to a site and notice the URL: http://randomsite.com
  • Click a link or application and see this URL: http://randomsite.com/app/getappinfo
  • Now, you simply add a parameter to see if the page exists. If so, you now have administrator access to the application. http://randomsite.com/app/admin_getappinfo

Example #2: Horizontal Access Attack

  • User goes to a site, logs in to confirm authorization to site resources: http://randomsite.com/app/userId=21775
  • User changes the userId to that of another user: http://randomsite.com/app/userId=31356
  • If proper authorization procedures are not in place, the user now has the ability to login as other users simply by changing the userID

ONLINE DEMO

Test Drive The Unified Security Platform

Get Started


How to Prevent Function Level Access Control

  • Deny access to functionality by default.
  • Use Access control lists and role-based authentication mechanisms.
  • Do not just hide functions.

How Hdiv protects against A7 risk

The information flow control system implemented by Hdiv allows control of the resources (links and forms) exposed by the application, and prevents breaking the original contract from the server. In other words, even when the programmer does not use access control systems or ACL (Java EE or Spring Security) Hdiv is able to know which resource is legally accessible by each user.

Risk Covered

Hdiv flow control prevents any client attempt to break the server contract.
Since 2008 in productionSINCE 2008IN PRODUCTION
more than 128 countriesMORE THAN 128COUNTRIES
Fortune 500 companiesFORTUNE 500COMPANIES
Explore our Online Demo



WHITEPAPER

The 7 Key Factors to Successful DevSecOps

Download Now

Resources

WHITEPAPER

The 7 Key Factors to Successful DevSecOps

Download Now

VIDEO

Hdiv Detection (IAST) for Developers

Watch

VIDEO

The Best Protection Against OWASP Top 10 Risks

Watch

AGILE PROTECTION

Agile protection: above and beyond the WAF

Read More