OWASP Top Ten - Broken Access Control

Dinglun Alex Zhou 2020-12-15 OWASP

# Description

If proper access control is not implemented on authenticated users, attackers can use these flaws to access functions or initialized data.

# Impact

The technical impact is that an attacker can impersonate a user, an administrator, or a privileged user, or create, access, update, or delete any record. The business affects the protection needs of applications and data.

# Scenario

Ultra vires:

Horizontal ultra vires, preliminary ultra vires

File operations:

File upload, file inclusion, arbitrary file download, arbitrary file deletion

# Prevention

Strengthen the encapsulation and encryption of reference parameters
Use security labels and adopt a strong access control model (MAC)

Last Updated: 10/26/2021, 5:08:30 PM