(OWASP) A7-Missing Function Level Access Control

Anyone with network access can send your application a request. Could anonymous users access private functionality or regular users a privileged function? Attacker, who is an authorized system user, simply changes the URL or a parameter to a privileged function. Is access granted? Anonymous users could access private functions that aren’t protected.


Applications do not always protect application functions properly. Sometimes, function level protection is managed via configuration, and the system is misconfigured. Sometimes, developers must include the proper code checks, and they forget. Detecting such flaws is easy. The hardest part is identifying which pages (URLs) or functions exist to attack.

Question 1 – What is Missing function level access Control?


Ans:-

  • Can a user directly browse to a resource?
  • Does the UI expose an unauthorized resource?
  • Server should not solely rely on user supplied input.

Question 2 – How to prevent yourself from this Vulnerability?


Ans:-

  • Deny access to functionality by default.
  • Use Access control lists & role based authentication mechanism.
  • Don’t just hide functions.

DEMO - Comming Soon!

~ Hack the World and Stay Noob

Twitter / Hack The Box / CTF Team / Teck_N00bs Community Telegram

Comments