CWE-285: Improper Authorization

Causes

• This function runs an arbitrary SQL query on a given database, returning the result of the query. While this code is careful to avoid SQL Injection, the function does not confirm the user sending the query is authorized to do so. An attacker may be able to obtain sensitive employee information from the database.
• The following program could be part of a bulletin board system that allows users to send private messages to each other. This program intends to authenticate the user before deciding whether a private message should be displayed. Assume that LookupMessageObject() ensures that the $id argument is numeric, constructs a filename based on that id, and reads the message details from that file. Also assume that the program stores all private messages for all users in the same directory. While the program properly exits if authentication fails, it does not ensure that the message is addressed to the user. As a result, an authenticated attacker could provide any arbitrary identifier and read private messages that were intended for other users.,One way to avoid this problem would be to ensure that the "to" field in the message object matches the username of the authenticated user.

Remediation

• Architecture and Design: [object Object]
• Architecture and Design: Ensure that you perform access control checks related to your business logic. These checks may be different than the access control checks that you apply to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor.
• System Configuration,Installation: Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

Detection

• Automated Static Analysis: [object Object]
• Automated Dynamic Analysis: Automated dynamic analysis may find many or all possible interfaces that do not require authorization, but manual analysis is required to determine if the lack of authorization violates business logic
• Manual Analysis: [object Object]
• Manual Static Analysis - Binary or Bytecode: [object Object]
• Dynamic Analysis with Automated Results Interpretation: [object Object]
• Dynamic Analysis with Manual Results Interpretation: [object Object]
• Manual Static Analysis - Source Code: [object Object]
• Automated Static Analysis - Source Code: [object Object]

Related CWEs

• CWE-1230: Exposure of Sensitive Information Through Metadata
• CWE-1256: Improper Restriction of Software Interfaces to Hardware Features
• CWE-1297: Unprotected Confidential Information on Device is Accessible by OSAT Vendors
• CWE-1328: Security Version Number Mutable to Older Versions
• CWE-284: Improper Access Control
• CWE-284: Improper Access Control
• CWE-552: Files or Directories Accessible to External Parties
• CWE-732: Incorrect Permission Assignment for Critical Resource
• CWE-862: Missing Authorization
• CWE-863: Incorrect Authorization
• CWE-926: Improper Export of Android Application Components
• CWE-927: Use of Implicit Intent for Sensitive Communication

Related CVEs

Related CVE mappings appear after CVE records are cross-indexed.

ATT&CK Relevance

ATT&CK relevance is shown only when reviewed or responsibly inferred.