Missing Function Level Access Control


Most of the web applications verify function level access rights before making that functionality accessible to the user. However, if the same access control checks are not performed on the server, hackers are able to penetrate into the application without proper authorization.

Let us understand Threat Agents, Attack Vectors, Security Weakness, Technical Impact and Business Impacts of this flaw with the help of simple diagram.



Here is a classic example of Missing Function Level Access Control −

The hacker simply forces target URLs. Usually admin access requires authentication, however, if the application access is not verified, then an unauthenticated user can access admin page.

' Below URL might be accessible to an authenticated user

' A NON Admin user is able to access admin page without authorization.

Hands ON

Step 1 − Let us login as account manager by first going through the list of users and their access privileges.


Step 2 − Upon trying various combinations we can find out that Larry has access to resource account manager.


Preventive Mechanisms

  • The authentication mechanism should deny all access by default, and provide access to specific roles for every function.

  • In a workflow based application, verify the users’ state before allowing them to access any resources.