Total Tests:

CWE Glossary

CWE is a trademark of the MITRE Corporation.

Stay in Touch

Get exclusive updates and invitations to our events and webinars:

Your data will stay confidential Private and Confidential

Improper Authorization [CWE-285]

Improper Authorization weakness describes improper mechanisms of user's authorization.

Improper Authorization [CWE-285]

Created: June 11, 2018
Latest Update: December 28, 2020

Table of Content

  1. Description
  2. Potential impact
  3. Attack patterns
  4. Affected software
  5. Mitigations
  6. References

Want to have an in-depth understanding of all modern aspects of
Improper Authorization [CWE-285] Read carefully this article and bookmark it to get back later, we regularly update this page.

1. Description

Authorization is a validation process of rights and privileges within application. It is a part of AAA (Authentication, Authorization, Accounting) security framework designed to ensure integrity and safety of valuable information assets.

The goal of authorization process is to check if the user has the right to interact with a given resource. Failure to comply may result in unauthorized access to privileged information or functionality and eventually lead to application integrity breach.

Improper authorization is a child member of Improper Access Control (CWE-285) weakness class, intended to describe security issues related to improper implementation of privileges within application or faulty original application design.

2. Potential impact

This vulnerability can lead from minor information disclosure to remote code execution and web application or system compromise. Depending on application design and functionality an attacker can use this weakness to access sensitive information, trigger denial of service attack or execute code.

A real-world example of such vulnerability would be authorization bypass in admin_nodeInfo API of cpp-ethereum's JSON-RPC (CVE-2017-12113), which allowed an attacker to send specially crafted data to JSON-RPC server then issue arbitrary RPC requests.

How to Detect Improper Authorization Vulnerabilities
Website Security Test
  • GDPR & PCI DSS Test
  • Website CMS Security Test
  • CSP & HTTP Headers Check
  • WordPress & Drupal Scanning
Try For Free

3. Attack patterns

The following CAPEC patterns are related to this vulnerability:

Improper authorization is described as Insufficient Authorization (WASC-02) in WASC database.

4. Affected software

Improper authorization is a language independent issue that may arise in any multiuser environment. The majority of all modern web applications provide privilege separation (e.g. anonymous website visitor and website administrator). Therefore, this issue is very common for content management systems, blogging software, frameworks, APIs, etc.

5. Mitigations

Unfortunately, it is impossible to provide universal recommendations to mitigate improper authorization issues in a deployed application. Developing a fix would require understanding of the current application security model and implemented access controls.

Three basic rules however can help you eliminate potential improper authorization issues:

  1. Identify all privileged assets within your application (web pages that display sensitive data, website sections that contain privileged/administrative functionality, etc.)
  2. Identify user roles within the application and their access permissions
  3. Always check if the user should have privileges to access the asset

6. References

  1. CWE-285: Improper Authorization []
  2. Insufficient Authorization []

Copyright Disclaimer: Any above-mentioned content can be copied and used for non-commercial purposes only if proper credit to ImmuniWeb is given.

↑ Back to Top
Book a Call Ask a Question
Talk to ImmuniWeb Experts
ImmuniWeb AI Platform
Have a technical question?

Our security experts will answer within
one business day. No obligations.

Have a sales question?
Tel: +41 22 560 6800 (Switzerland)
Tel: +1 720 605 9147 (USA)
Your data will stay private and confidential