CWE-862: Missing Authorization

Causes

• This function runs an arbitrary SQL query on a given database, returning the result of the query. While this code is careful to avoid SQL Injection, the function does not confirm the user sending the query is authorized to do so. An attacker may be able to obtain sensitive employee information from the database.
• The following program could be part of a bulletin board system that allows users to send private messages to each other. This program intends to authenticate the user before deciding whether a private message should be displayed. Assume that LookupMessageObject() ensures that the $id argument is numeric, constructs a filename based on that id, and reads the message details from that file. Also assume that the program stores all private messages for all users in the same directory. While the program properly exits if authentication fails, it does not ensure that the message is addressed to the user. As a result, an authenticated attacker could provide any arbitrary identifier and read private messages that were intended for other users.,One way to avoid this problem would be to ensure that the "to" field in the message object matches the username of the authenticated user.

Remediation

• Architecture and Design: [object Object]
• Architecture and Design: Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
• System Configuration,Installation: Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

Detection

• Automated Static Analysis: [object Object]
• Automated Dynamic Analysis: Automated dynamic analysis may find many or all possible interfaces that do not require authorization, but manual analysis is required to determine if the lack of authorization violates business logic.
• Manual Analysis: [object Object]
• Manual Static Analysis - Binary or Bytecode: [object Object]
• Dynamic Analysis with Automated Results Interpretation: [object Object]
• Dynamic Analysis with Manual Results Interpretation: [object Object]
• Manual Static Analysis - Source Code: [object Object]
• Automated Static Analysis - Source Code: [object Object]

Related CWEs

• CWE-1314: Missing Write Protection for Parametric Data Values
• CWE-425: Direct Request ('Forced Browsing')
• CWE-425: Direct Request ('Forced Browsing')
• CWE-638: Not Using Complete Mediation
• CWE-284: Improper Access Control
• CWE-285: Improper Authorization
• CWE-939: Improper Authorization in Handler for Custom URL Scheme

Related CVEs

Related CVE mappings appear after CVE records are cross-indexed.

ATT&CK Relevance

ATT&CK relevance is shown only when reviewed or responsibly inferred.