This seventh episode will drive us to the “Missing Function Access Control” flaws.
Ranked #7 on the OWASP Top 10 2013, this kind of flaw is very easy to exploit, though not necessarily visible at first sight. The impact will really depend on the content and features of the web application.

To make it simple, these flaws rely on a lack of access control for a specific functionality of the website, whatever level of access should be required by that functionality.
In the real world, this would be like being able to enter the laboratory of a hospital as a simple patient (to get drugs or anything else).

Functionalities managed by the same application

In web applications, many functionalities can be implemented within the same code.
If we take a blog application, we can find functionalities to read articles, but also functions to modify an article or delete one of them. We can also find functions to create new users, modify existing users, and so on…
On an ecommerce web application, you will find functionalities to order products, and some others to create products or extract customer orders.

A lack of control

The flaws rely on a lack of control for one or more functionalities. Different scenarios can be found, like:
– The main menu of the application changes based on the access level of the user, but accessing URLs of hidden menu items works.
– The application checks the access rights based on some information provided by the user, such as a cookie flag (“admin=1”). It sounds ridiculous, but exists.
Sometimes, even if a good access control mechanism has been put in place, forbidden functionalities might be accessible because the developer forgot to configure it properly, or misconfigured it.

Detecting such flaws is quite easy

Automated tools are usually not able to detect such flaws by themselves. A code review and configuration review can be very helpful in detecting a lack of control or a misconfiguration.
However the best way to ensure everything is working fine is to test the application! Mapping the different functionalities with the highest privilege and then downgrading the access right of the test user to verify whether or not the functionality is still accessible is very efficient (This is usually done during a penetration testing).

Other articles in this series: