Authorization Errors

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

The product prevents direct access to a resource containing sensitive information, but it does not sufficiently limit access to metadata that is derived from the origi...

The product makes files or directories accessible to unauthorized actors, even though they should not be.

The product uses a handler for a custom URL scheme, but it does not properly restrict which actors can invoke the handler using the scheme.

The product does not properly compartmentalize or isolate functionality, processes, or resources that require different privilege levels, rights, or permissions.

If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection.

The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system fro...

The product or the administrator places a user into an incorrect group.

This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development l...