Jump to content
  • ASVS v4.0 - 4.1.3 - Improper authorization

    CategoryBug report
    Component: 14259

    There are multiple endpoints in the application that are vulnerable.

    1. An user with least privileges has access to the endpoint is able to change cloud and OLAP configuration parameters.

    2. An user with least privileges can see and generate reports of other organizations that should not be accessible to the user.

    3. Any user has access to internal paths like that should be reachable only for an admin user.

    Assuming a user with a given identity, authorization is the process of determining whether that user can access

    a given resource, based on the user's privileges and any permissions or other access-control specifications that

    apply to the resource.

    When access control checks are not applied consistently - or not at all - users are able to access data or perform

    actions that they should not be allowed to perform. This can lead to a wide range of problems, including

    information exposures, denial of service, and arbitrary code execution.

    A more specific test to check would be to check if any given user is able to access other users resources. Users

    should only be able to access functions, data files, URLs, controllers, services, and other resources, for which

    they possess specific authorization. This implies protection against spoofing and elevation of privilege.



    User Feedback

    Recommended Comments

    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

  • Create New...