OWASP Top Ten 2021 Category A01:2021 - Broken Access Control

A category in the Common Weakness Enumeration published by The MITRE Corporation.


Summary

Categories in the Common Weakness Enumeration (CWE) group entries based on some common characteristic or attribute.

Weaknesses in this category are related to the A01 category "Broken Access Control" in the OWASP Top Ten 2021.

Weaknesses

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Authorization Bypass Through User-Controlled SQL Primary Key

The software uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be cont...

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the...

Direct Request ('Forced Browsing')

The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

Exposure of Information Through Directory Listing

A directory listing is inappropriately exposed, yielding potentially sensitive information to attackers.

Exposure of Private Personal Information to an Unauthorized Actor

The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the...

Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Exposure of Sensitive System Information to an Unauthorized Control Sphere

The application does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the...

Exposure of WSDL File Containing Sensitive Information

The Web services architecture may require exposing a Web Service Definition Language (WSDL) file that contains information on the publicly accessible services and how ...

Files or Directories Accessible to External Parties

The product makes files or directories accessible to unauthorized actors, even though they should not be.

Improper Access Control

The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Improper Authorization

The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Improper Control of Dynamically-Managed Code Resources

The software does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or ex...

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but...

Improper Link Resolution Before File Access ('Link Following')

The software attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an un...

Inclusion of Sensitive Information in Source Code

Source code on a web server or repository often contains sensitive information and should generally not be accessible to users.

Incorrect Authorization

The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows...

Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

Insecure Storage of Sensitive Information

The software stores sensitive information without properly limiting read or write access by unauthorized actors.

Insecure Temporary File

Creating and using insecure temporary files can leave application and system data vulnerable to attack.

Insertion of Sensitive Information into Externally-Accessible File or Directory

The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive ...

Insertion of Sensitive Information Into Sent Data

The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.

Missing Authorization

The software does not perform an authorization check when an actor attempts to access a resource or perform an action.

Path Traversal: '.../...//'

The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple ...

Relative Path Traversal

The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that ...

Sensitive Cookie with Improper SameSite Attribute

The SameSite attribute for sensitive cookies is not set, or an insecure value is used.

Storage of File with Sensitive Data Under Web Root

The application stores sensitive data under the web document root with insufficient access control, which might make it accessible to untrusted parties.

Transmission of Private Resources into a New Sphere ('Resource Leak')

The software makes resources available to untrusted parties when those resources are only intended to be accessed by the software.

Unintended Proxy or Intermediary ('Confused Deputy')

The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request bef...

URL Redirection to Untrusted Site ('Open Redirect')

A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.

Use of Incorrectly-Resolved Name or Reference

The software uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.

Categories

Permission Issues

Weaknesses in this category are related to improper assignment or handling of permissions.

Deprecated or Obsolete

Permissions, Privileges, and Access Controls

Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.

Concepts

Weaknesses in OWASP Top Ten (2021)

CWE entries in this view (graph) are associated with the OWASP Top Ten, as released in 2021.

See Also

  1. A01:2021 – Broken Access Control
  2. OWASP Top 10:2021

Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.