CWE-863: Incorrect Authorization

Description

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

Submission Date :

May 24, 2011, midnight

Modification Date :

2023-06-29 00:00:00+00:00

Organization :

MITRE
Extended Description

Assuming a user with a given identity, authorization is the process of determining whether that user can access a given resource, based on the user's privileges and any permissions or other access-control specifications that apply to the resource.

When access control checks are incorrectly applied, users are able to access data or perform actions that they should not be allowed to perform. This can lead to a wide range of problems, including information exposures, denial of service, and arbitrary code execution.

Example Vulnerable Codes

Example - 1

The following code could be for a medical records application. It displays a record to already authenticated users, confirming the user's authorization using a value stored in a cookie.




// save the cookie to send out in future responsessetcookie("role", $role, time()+60*60*2);

ShowLoginScreen();die("\n");$role = getRole('user');if ($role) {}else{}
DisplayMedicalHistory($_POST['patient_ID']);
die("You are not Authorized to view this record\n");$role = $_COOKIES['role'];if (!$role) {}if ($role == 'Reader') {}else{}

The programmer expects that the cookie will only be set when getRole() succeeds. The programmer even diligently specifies a 2-hour expiration for the cookie. However, the attacker can easily set the "role" cookie to the value "Reader". As a result, the $role variable is "Reader", and getRole() is never invoked. The attacker has bypassed the authorization system.

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

CWE-284: Improper Access Control
Go to
CWE-285: Improper Authorization
Go to
CWE-551: Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
Go to
CWE-639: Authorization Bypass Through User-Controlled Key
Go to
CWE-647: Use of Non-Canonical URL Paths for Authorization Decisions
Go to
CWE-804: Guessable CAPTCHA
Go to
CWE-942: Permissive Cross-domain Policy with Untrusted Domains
Go to
CWE-1244: Internal Asset Exposed to Unsafe Debug Access Level or State
Go to

Visit http://cwe.mitre.org/ for more details.