CWE Glossary

CWE is a trademark of the MITRE Corporation.

Stay in touch

Application security insights and invitations to exclusive events in your inbox


Your data will stay confidential Private and Confidential

Improper Authorization [CWE-285]

This weakness describes improper mechanisms of user's authorization.

Created: June 11, 2018

Table of Content

  1. Description
  2. Potential impact
  3. Attack patterns
  4. Affected software
  5. Mitigations
  6. References

1. Description

Authorization is a validation process of rights and privileges within application. It is a part of AAA (Authentication, Authorization, Accounting) security framework designed to ensure integrity and safety of valuable information assets.

The goal of authorization process is to check if the user has the right to interact with a given resource. Failure to comply may result in unauthorized access to privileged information or functionality and eventually lead to application integrity breach.

Improper authorization is a child member of Improper Access Control (CWE-285) weakness class, intended to describe security issues related to improper implementation of privileges within application or faulty original application design.

2. Potential impact

This vulnerability can lead from minor information disclosure to remote code execution and web application or system compromise. Depending on application design and functionality an attacker can use this weakness to access sensitive information, trigger denial of service attack or execute code.

A real-world example of such vulnerability would be authorization bypass in admin_nodeInfo API of cpp-ethereum's JSON-RPC (CVE-2017-12113), which allowed an attacker to send specially crafted data to JSON-RPC server then issue arbitrary RPC requests.

3. Attack patterns

The following CAPEC patterns are related to this vulnerability:

Improper authorization is described as Insufficient Authorization (WASC-02) in WASC database.

4. Affected software

Improper authorization is a language independent issue that may arise in any multiuser environment. The majority of all modern web applications provide privilege separation (e.g. anonymous website visitor and website administrator). Therefore, this issue is very common for content management systems, blogging software, frameworks, APIs, etc.

5. Mitigations

Unfortunately, it is impossible to provide universal recommendations to mitigate improper authorization issues in a deployed application. Developing a fix would require understanding of the current application security model and implemented access controls.

Three basic rules however can help you eliminate potential improper authorization issues:

  1. Identify all privileged assets within your application (web pages that display sensitive data, website sections that contain privileged/administrative functionality, etc.)
  2. Identify user roles within the application and their access permissions
  3. Always check if the user should have privileges to access the asset

6. References

  1. CWE-285: Improper Authorization [cwe.mitre.org]
  2. Insufficient Authorization [projects.webappsec.org]

Copyright Disclaimer: Any above-mentioned content can be copied and used for non-commercial purposes only if proper credit to High-Tech Bridge is given.

↑ Back to Top
High-Tech Bridge on Facebook High-Tech Bridge on Twitter High-Tech Bridge on LinkedIn High-Tech Bridge RSS Feeds Send by Email
Share
Let's Talk