OWASP Top Ten 2004 Category A2 - Broken Access Control

A category in the Common Weakness Enumeration published by The MITRE Corporation.


Summary

Categories in the Common Weakness Enumeration (CWE) group entries based on some common characteristic or attribute.

Weaknesses in this category are related to the A2 category in the OWASP Top Ten 2004.

Weaknesses

ASP.NET Misconfiguration: Use of Identity Impersonation

Configuring an ASP.NET application to run with impersonated credentials may give the application unnecessary privileges.

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Direct Request ('Forced Browsing')

The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

External Control of File Name or Path

The software allows user input to control or influence paths or file names that are used in filesystem operations.

Improper Access Control

The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Improper Authorization

The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but...

Improper Resolution of Path Equivalence

The system or application is vulnerable to file system contents disclosure through path equivalence. Path equivalence involves the use of special characters in file an...

Incorrect Behavior Order: Authorization Before Parsing and Canonicalization

If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection.

Incorrect Ownership Assignment

The software assigns an owner to a resource, but the owner is outside of the intended control sphere.

Incorrect Privilege Assignment

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

J2EE Misconfiguration: Weak Access Permissions for EJB Methods

If elevated access rights are assigned to EJB methods, then an attacker can take advantage of the permissions to exploit the software system.

Privilege Chaining

Two distinct privileges, roles, capabilities, or rights can be combined in a way that allows an entity to perform unsafe actions that would not be allowed without that...

Unverified Ownership

The software does not properly verify that a critical resource is owned by the proper entity.

Use of Insufficiently Random Values

The software uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

Use of Web Browser Cache Containing Sensitive Information

The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached.

Categories

Permission Issues

Weaknesses in this category are related to improper assignment or handling of permissions.

Concepts

Deprecated or Obsolete

Weaknesses in OWASP Top Ten (2004)

CWE entries in this view (graph) are associated with the OWASP Top Ten, as released in 2004, and as required for compliance with PCI DSS version 1.1. This view is cons...

See Also

  1. A2 Broken Access Control

    OWASP


Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.