- CWE-22: Path Traversal
- CWE-78: OS Command Injection
- CWE-79: Cross-Site Scripting
- CWE-89: SQL Injection
- CWE-90: LDAP Injection
- CWE-91: XML Injection
- CWE-94: Code Injection
- CWE-98: PHP File Inclusion
- CWE-113: HTTP Response Splitting
- CWE-119: Buffer Errors
- CWE-130: Improper Handling of Length Parameter Inconsistency
- CWE-193: Off-by-one Error
- CWE-200: Information Exposure
- CWE-211: Information Exposure Through Externally-Generated Error Message
- CWE-236: Improper Handling of Undefined Parameters
- CWE-276: Incorrect Default Permissions
- CWE-284: Improper Access Control
- CWE-285: Improper Authorization
- CWE-287: Improper Authentication
- CWE-297: Improper Validation of Certificate with Host Mismatch
- CWE-306: Missing Authentication for Critical Function
- CWE-312: Cleartext Storage of Sensitive Information
- CWE-345: Insufficient Verification of Data Authenticity
- CWE-352: Cross-Site Request Forgery
- CWE-384: Session Fixation
- CWE-427: Uncontrolled Search Path Element
- CWE-434: Unrestricted Upload of File with Dangerous Type
- CWE-476: NULL Pointer Dereference
- CWE-521: Weak Password Requirements
- CWE-601: Open Redirect
- CWE-611: Improper Restriction of XML External Entity Reference ('XXE')
- CWE-613: Insufficient Session Expiration
- CWE-618: Exposed Unsafe ActiveX Method
- CWE-671: Lack of Administrator Control over Security
- CWE-798: Use of Hard-coded Credentials
- CWE-799: Improper Control of Interaction Frequency
- CWE-822: Untrusted Pointer Dereference
- CWE-835: Infinite Loop
- CWE-918: Server-Side Request Forgery (SSRF)
- CWE-942: Overly Permissive Cross-domain Whitelist
CWE is a trademark of the MITRE Corporation.
Improper Authorization [CWE-285]
Improper Authorization weakness describes improper mechanisms of user's authorization.
Created: June 11, 2018
Latest Update: March 9, 2020
Table of Content
Want to have an in-depth understanding of all modern aspects of Improper Authorization [CWE-285]. Read carefully this article and bookmark it to get back later, we regularly update this page.
Authorization is a validation process of rights and privileges within application. It is a part of AAA (Authentication, Authorization, Accounting) security framework designed to ensure integrity and safety of valuable information assets.
The goal of authorization process is to check if the user has the right to interact with a given resource. Failure to comply may result in unauthorized access to privileged information or functionality and eventually lead to application integrity breach.
Improper authorization is a child member of Improper Access Control (CWE-285) weakness class, intended to describe security issues related to improper implementation of privileges within application or faulty original application design.
2. Potential impact
This vulnerability can lead from minor information disclosure to remote code execution and web application or system compromise. Depending on application design and functionality an attacker can use this weakness to access sensitive information, trigger denial of service attack or execute code.
A real-world example of such vulnerability would be authorization bypass in admin_nodeInfo API of cpp-ethereum's JSON-RPC (CVE-2017-12113), which allowed an attacker to send specially crafted data to JSON-RPC server then issue arbitrary RPC requests.
3. Attack patterns
The following CAPEC patterns are related to this vulnerability:
- CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs
- CAPEC-13: Subverting Environment Variable Values
- CAPEC-17: Accessing, Modifying or Executing Executable Files
- CAPEC-39: Manipulating Opaque Client-based Data Tokens
- CAPEC-45: Buffer Overflow via Symbolic Links
- CAPEC-51: Poison Web Service Registry
- CAPEC-59: Session Credential Falsification through Prediction
- CAPEC-60: Reusing Session IDs (aka Session Replay)
- CAPEC-76: Manipulating Input to File System Calls
- CAPEC-77: Manipulating User-Controlled Variables
- CAPEC-87: Forceful Browsing
- CAPEC-104: Cross Zone Scripting
- CAPEC-127: Directory Indexing
Improper authorization is described as Insufficient Authorization (WASC-02) in WASC database.
4. Affected software
Improper authorization is a language independent issue that may arise in any multiuser environment. The majority of all modern web applications provide privilege separation (e.g. anonymous website visitor and website administrator). Therefore, this issue is very common for content management systems, blogging software, frameworks, APIs, etc.
Unfortunately, it is impossible to provide universal recommendations to mitigate improper authorization issues in a deployed application. Developing a fix would require understanding of the current application security model and implemented access controls.
Three basic rules however can help you eliminate potential improper authorization issues:
- Identify all privileged assets within your application (web pages that display sensitive data, website sections that contain privileged/administrative functionality, etc.)
- Identify user roles within the application and their access permissions
- Always check if the user should have privileges to access the asset
Copyright Disclaimer: Any above-mentioned content can be copied and used for non-commercial purposes only if proper credit to ImmuniWeb is given.↑ Back to Top