Identification of Missing Authorization

Missing authorization, often referred to as broken access control, occurs when a web application does not properly enforce restrictions on what authenticated users are allowed to do. Attackers can exploit these vulnerabilities to access or modify data they shouldn't have access to, potentially leading to data breaches, unauthorized actions, or escalation of privileges.

Common Indicators of Missing Authorization:

  1. Access to Restricted Functions: Users can access functionalities that should be restricted based on their roles or permissions.
  2. Direct Object Reference: Users can access objects (e.g., files, database records) they shouldn't by manipulating direct object references, such as changing a URL or a parameter value.
  3. Horizontal and Vertical Escalation: Users can access data or perform actions at a higher privilege level than their own, or access data belonging to other users.
  4. Insecure API Endpoints: API endpoints that do not properly check the user's permissions before executing actions.
  5. Lack of Consistent Enforcement: The application inconsistently applies authorization checks, with some parts of the application being more strictly enforced than others.

How to Identify Missing Authorization:

  1. Role Testing: Test the application with different user accounts, each with different levels of privileges, to see if higher-privileged actions or data are accessible from accounts with lower privileges.
  2. Parameter Manipulation: Attempt to access or modify data by changing parameters, such as user IDs or file names, in URLs, request bodies, or query strings.
  3. Automated Scanning: Use automated tools to scan for missing authorization vulnerabilities, particularly those that can crawl the application and test different access levels.
  4. Code Review: Review the application's source code to ensure that authorization checks are consistently applied before executing sensitive actions or accessing sensitive data.
  5. API Testing: Test API endpoints to verify that they properly enforce authorization checks, especially when the APIs are publicly accessible.

Mitigation Strategies:

  1. Enforce Authorization Checks: Implement consistent and thorough authorization checks on the server side before executing any action or accessing any data.
  2. Use Role-Based Access Control (RBAC): Implement an RBAC system to clearly define and enforce what resources and operations different roles can access and perform.
  3. Adopt the Principle of Least Privilege: Ensure users are given the minimum levels of access—or permissions—they need to perform their functions.
  4. Implement Proper Error Handling: Ensure that the application does not disclose sensitive information in error messages when unauthorized access is attempted.
  5. Regular Auditing and Testing: Regularly audit and test the application for authorization flaws, especially when introducing new features or making changes to existing ones.

Identifying and addressing missing authorization issues is vital for maintaining the security and integrity of a web application, as it helps prevent unauthorized access and potential data breaches.