Missing Function Level Access Control | Crashtest Security
Apr 21, 2022
5 min read
In this article:
Function level access control enables a flexible hierarchical authorization check since it implements resource access control decisions based on task requirements. Unfortunately, an application with the access control security vulnerability allows an unauthenticated user to perform unauthorized actions on restricted resources by exploiting code and configuration settings flaws.
This article discusses the missing function level access control vulnerability, its impacts on application security, and how to protect web applications.
What Does A Missing Function Level Access Control Mean?
The missing function level authorization security vulnerability occurs when there are insufficient authorization checks for sensitive request handlers. This common vulnerability allows malicious users to access restricted resources by escalating their permissions at the function level. The attacker is typically an authenticated system user who changes a privileged function parameter to send corrupt requests for unauthorized admin access.
A broken function-level authorization attack starts with gaining access to Application Programming Interfaces (APIs). A malicious user gains application access permissions either through phishing or masquerading as a user then scans the application for any functions without proper checks. These include permission to directly access resources and exposure to restricted data by the user interface. Attackers can leverage these vulnerabilities to access unauthorized pages with sensitive information and