OWASP Top Ten 2004 Category A2 - Broken Access Control

Configuring an ASP.NET application to run with impersonated credentials may give the application unnecessary privileges.

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

The product allows user input to control or influence paths or file names that are used in filesystem operations.

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but ...

The product is vulnerable to file system contents disclosure through path equivalence. Path equivalence involves the use of special characters in file and directory na...

If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection.

The product assigns an owner to a resource, but the owner is outside of the intended control sphere.

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

If elevated access rights are assigned to EJB methods, then an attacker can take advantage of the permissions to exploit the product.

Two distinct privileges, roles, capabilities, or rights can be combined in a way that allows an entity to perform unsafe actions that would not be allowed without that...

The product does not properly verify that a critical resource is owned by the proper entity.

The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached.

Weaknesses in this category are related to improper assignment or handling of permissions.

CWE entries in this view (graph) are associated with the OWASP Top Ten, as released in 2004, and as required for compliance with PCI DSS version 1.1. This view is cons...