Authorization / Missing Authorization

Description

Missing Authorization is an authorization vulnerability that occurs when an application fails to appropriately check if a user has the proper permissions to access a certain resource. This type of vulnerability typically occurs in Web and API applications and is ranked at number 18 in the CWE Top 25 (2022). It is also listed as A7 in the OWASP Testing Guide. This vulnerability can be exploited by an attacker to bypass authentication and authorization controls, allowing them to gain access to sensitive information or perform malicious activities.

Risk

Missing Authorization poses a significant risk for any application that does not properly check for user permissions. An attacker can exploit this vulnerability to gain access to private data or use the application for malicious purposes. It is also possible for an attacker to use this vulnerability to gain elevated privileges within the application.

Solution

To mitigate against this vulnerability, developers should implement proper access control checks on all user inputs. Access control should be applied on all resources, and permissions should be checked before granting access. Additionally, developers should use secure authentication protocols such as OAuth 2.0 or OpenID Connect to authenticate users and verify their access rights.

Example

The following code example is taken from a CVE report (CVE-2020-12681) and demonstrates a missing authorization vulnerability.

if ( !is_user_logged_in() ) {
    //Redirect to login page
    header('Location: /login.php');
    exit();
}

//Perform some action

In this example, the application does not check if the user has the proper permissions to execute the action. Any user that is logged in will be able to perform the action, even if they should not have access.