Authorize Actors

The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be...

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

The software uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be cont...

The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a...

The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

The software implements an IOCTL with functionality that should be restricted, but it does not properly enforce access control for the IOCTL.

The product stores access control list files in a directory or other container that is accessible to actors outside of the intended control sphere.

A backup file is stored in a directory or archive that is made accessible to unauthorized actors.

The product generates a core dump file in a directory, archive, or other resource that is stored, transferred, or otherwise made accessible to unauthorized actors.

A process does not close sensitive file descriptors before invoking a child process, which allows the child to perform unauthorized I/O operations using those descript...

The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the...

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

The product stores a CVS, git, or other repository in a directory, archive, or other resource that is stored, transferred, or otherwise made accessible to unauthorized...

The software stores security-critical state information about its users, or the software itself, in a location that is accessible to unauthorized actors.

One or more system settings or configuration elements can be externally controlled by a user.

The product does not prevent the definition of control spheres from external actors.

The product makes files or directories accessible to unauthorized actors, even though they should not be.

The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

The software uses a handler for a custom URL scheme, but it does not properly restrict which actors can invoke the handler using the scheme.

The software attempts to drop privileges but does not check or incorrectly checks to see if the drop succeeded.

The software does not restrict a reference to a Document Type Definition (DTD) to the intended control sphere. This might allow attackers to reference arbitrary DTDs, ...

The application does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This...

The software does not handle or incorrectly handles when it has insufficient privileges to perform an operation, leading to resultant weaknesses.

The software assigns the wrong ownership, or does not properly verify the ownership, of an object or resource.

The software does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrict...

The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

The software establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicat...

The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows...

If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection.

During installation, installed file permissions are set to allow anyone to modify those files.

While it is executing, the software sets the permissions of an object in a way that violates the intended permissions that have been specified by the user.

The software assigns an owner to a resource, but the owner is outside of the intended control sphere.

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides ...

The software does not properly manage a user within its environment.

A product defines a set of insecure permissions that are inherited by objects that are created by the program.

The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive ...

The product does not sufficiently compartmentalize functionality or processes that require different privilege levels, rights, or permissions.

The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect the environment in which the product ...

The elevated privilege level required to perform operations such as chroot() should be dropped immediately after the operation is performed.

The software does not perform an authorization check when an actor attempts to access a resource or perform an action.

The software uses a cross-domain policy file that includes domains that should not be trusted.

A number or object is predictable based on observations that the attacker can make about the state of the system or network, such as time, process ID, etc.

Two distinct privileges, roles, capabilities, or rights can be combined in a way that allows an entity to perform unsafe actions that would not be allowed without that...

The software does not properly manage privileges while it is switching between different contexts that have different privileges or spheres of control.

A particular privilege, role, capability, or right can be used to perform unsafe actions that were not intended, even when it is assigned to the correct entity.

The software does not drop privileges before passing control of a resource to an actor that does not have those privileges.

Executing commands or loading libraries from an untrusted source or in an untrusted environment can cause an application to execute malicious commands (and payloads) o...

The software uses a protection mechanism whose strength depends heavily on its obscurity, such that knowledge of its algorithms or key data is sufficient to defeat the...

The application stores sensitive data under the FTP server root with insufficient access control, which might make it accessible to untrusted parties.

The application stores sensitive data under the web document root with insufficient access control, which might make it accessible to untrusted parties.

The software stores sensitive information in a file system or device that does not have built-in access control.

The software protects a primary channel, but it does not use the same level of protection for an alternate channel.

The software uses a primary channel for administration or restricted functionality, but it does not properly protect the channel.

The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.

The application searches for critical resources using an externally-supplied search path that can point to resources that are not under the application's direct control.

The software does not properly verify that a critical resource is owned by the proper entity.

The software defines policy namespaces and makes authorization decisions based on the assumption that a URL is canonical. This can allow a non-canonical URL to bypass ...

This view organizes weaknesses according to common architectural security tactics. It is intended to assist architects in identifying potential mistakes that can be ma...