Missing function level access control

On a very high level if I explain,

When in an application it is possible to access functions for which you are not
 authorised , then that application has this vulnerability.

Some of you might be having this question that – why will this happen..?

The reasons can be :-

  • No server side authentication
  • No or Limited  Access controls.
  • Authorization solely based on data which the users enter.

Below is the DEMO of how this works:

1)Below is the login page for one of the Banks.

admin login

2)Account types – Admin account, Generic, Personal (staff/employee), Customer

We will try logging in by admin account and then by customer account, just to see what the difference is.

edit users
Admin account has the privileges to edit the Users, ideally this access should not be there for the customers.

Now logging with a customer account,

no option
This is John’s acccount.Great , we can’t edit the users. This is what is required.

To an untrained eye this, this is not a vulnerability but when it comes to bug hunting, here is what we do.

  1. Log in with the user account (John’s may be)
  2. Now hers is the trick: Change the URL.
  3. Change the URL as below
  4. This can e found out by spidering the site and many other ways.

    edit users url
    URL to edit users
  5. You will again be rendered the edit users page.
  6. Delete the users, modify, add , create a secret user for attacking etc.(EXPLOIT)


  • “Presentation layer access control” – BAD option, you have see how this can be exploited. It should be there but along with further checks.
  • Implicit deny – deny all and restrict the access to functions which have privileges
  • Introduce checks in the business logic – Any request made for a privilege function/page should be further checked that whether it is allowed or not.
  • Example in the above example, one of the solutions can be that user be asked to enter the credentials again. Then further it can be checked that whether to render the page or not.
  • Canonical to full path resolution
  • Access Matrix to be present – This can be different for files, DB ,Servers etc.1MF
  • Principle of least privileges to be folowed – Grant least privileges required
  • Access control policy and it’s implementation to be in place

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s