OWASP Top Ten 2004 Category A2 - Broken Access Control
A category in the Common Weakness Enumeration published by The MITRE Corporation.
Categories in the Common Weakness Enumeration (CWE) group entries based on some common characteristic or attribute.
Weaknesses in this category are related to the A2 category in the OWASP Top Ten 2004.
Configuring an ASP.NET application to run with impersonated credentials may give the application unnecessary privileges.
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.
The software allows user input to control or influence paths or file names that are used in filesystem operations.
The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but...
The system or application is vulnerable to file system contents disclosure through path equivalence. Path equivalence involves the use of special characters in file an...
If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection.
The software assigns an owner to a resource, but the owner is outside of the intended control sphere.
A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
If elevated access rights are assigned to EJB methods, then an attacker can take advantage of the permissions to exploit the software system.
Two distinct privileges, roles, capabilities, or rights can be combined in a way that allows an entity to perform unsafe actions that would not be allowed without that...
The software does not properly verify that a critical resource is owned by the proper entity.
The software uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.
The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached.
Weaknesses in this category are related to improper assignment or handling of permissions.
Deprecated or Obsolete
CWE entries in this view (graph) are associated with the OWASP Top Ten, as released in 2004, and as required for compliance with PCI DSS version 1.1. This view is cons...