Authentication / Improper Access Control

Description

Improper Access Control is an IT vulnerability that enables an individual to gain access to unauthorized information or resources. This vulnerability is categorized under Authentication and can be found in Web and API applications. According to the Common Weakness Enumeration (CWE) directory, Improper Access Control is defined as "a weakness that is related to a system's ability to restrict or prevent unauthorized access to resources or functionality" (CWE-284). The Open Web Application Security Project (OWASP) Testing Guide outlines a number of tests that can be used to detect Improper Access Control, such as authentication testing, authorization testing and session management testing (OWASP Testing Guide v4).

Risk

Improper Access Control can be a serious security risk, as it can allow an attacker to gain access to information and resources they are not authorized to access. In order to properly assess the risk of Improper Access Control, organizations should take into account the sensitivity of the data and resources that are being accessed, as well as the potential impact of the breach.

Solution

Organizations can mitigate the risk of Improper Access Control by implementing strong authentication and authorization mechanisms. This can include robust access control lists, the use of strong passwords, two-factor authentication, and the regular monitoring of access logs.