Corgea LogoCorgea Security Hub

CWE-862: Missing Authorization

Learn about CWE-862 (Missing Authorization), its security impact, exploitation methods, and prevention guidelines.

What is Missing Authorization?

• Overview: Missing Authorization (CWE-862) occurs when a system fails to verify if a user has permission to access a resource or perform an action, potentially allowing unauthorized access.

• Exploitation Methods:

  • Attackers can exploit this vulnerability by accessing resources or performing actions without proper permission checks.
  • Common attack patterns include manipulating user identifiers or directly accessing endpoints that lack authorization checks.

• Security Impact:

  • Direct consequences include unauthorized access to sensitive data or functionality.
  • Potential cascading effects involve compromised system integrity and unauthorized data modification or deletion.
  • Business impact can involve data breaches, loss of customer trust, potential legal liabilities, and financial loss.

• Prevention Guidelines:

  • Specific code-level fixes include implementing consistent and robust authorization checks for all sensitive operations.
  • Security best practices involve using role-based access control (RBAC) and least privilege principles.
  • Recommended tools and frameworks include utilizing security libraries or frameworks that provide built-in authorization mechanisms, such as OAuth, OpenID Connect, or Access Control Lists (ACLs).
Corgea can automatically detect and fix Missing Authorization in your codebase. [Try Corgea free today](https://corgea.app).

Technical Details

Likelihood of Exploit: High

Affected Languages: Not Language-Specific

Affected Technologies: Web Server, Database Server

An access control list (ACL) represents who/what has permissions to a given object. Different operating systems implement (ACLs) in different ways. In UNIX, there are three types of permissions: read, write, and execute. Users are divided into three classes for file access: owner, group owner, and all other users where each class has a separate set of rights. In Windows NT, there are four basic types of permissions for files: "No access", "Read access", "Change access", and "Full control". Windows NT extends the concept of three types of users in UNIX to include a list of users and groups along with their associated permissions. A user can create an object (file) and assign specified permissions to that object.

Vulnerable Code Example

Python Example

from flask import Flask, request, jsonify

app = Flask(__name__)

def get_user_data(user_id):
    # Simulated database query
    return {"user_id": user_id, "data": "Sensitive User Data"}

@app.route('/user_data', methods=['GET'])
def user_data():
    user_id = request.args.get('user_id')
    # Missing authorization check: Any user can request data of any user
    user_data = get_user_data(user_id)  
    return jsonify(user_data)  

if __name__ == '__main__':
    app.run(debug=True)

Explanation:

  • This code snippet demonstrates a missing authorization vulnerability. The user_data function allows any user to access any other user's data by simply providing a user ID as a query parameter.
  • There is no check to verify if the requesting user is authorized to access the data associated with the provided user_id.

How to fix Missing Authorization?

To fix this issue, it's essential to implement an authorization layer that verifies whether the requesting user has the necessary permissions to access the requested data. This typically involves:

  1. Authenticating the user to verify their identity.
  2. Checking if the authenticated user has permission to access the resource.
  3. Using a secure method to handle authentication and authorization, such as tokens or session-based mechanisms.

Fixed Code Example

Python Example

from flask import Flask, request, jsonify

app = Flask(__name__)

def get_user_data(user_id):
    # Simulated database query
    return {"user_id": user_id, "data": "Sensitive User Data"}

def is_authorized(request_user_id, target_user_id):
    # Simulated authorization logic: Only allow access if the user IDs match
    return request_user_id == target_user_id

@app.route('/user_data', methods=['GET'])
def user_data():
    user_id = request.args.get('user_id')
    request_user_id = request.headers.get('X-User-ID')  # Authenticated user ID from headers
    # Implementing authorization check
    if not is_authorized(request_user_id, user_id):  
        return jsonify({"error": "Unauthorized access"}), 403  
    user_data = get_user_data(user_id)  
    return jsonify(user_data)  

if __name__ == '__main__':
    app.run(debug=True)

Explanation:

  • The fixed code introduces an is_authorized function to check if the authenticated user (identified by request_user_id) is allowed to access the data of user_id.
  • The user_data function now uses this authorization check before proceeding to fetch and return data.
  • If the user is not authorized, a 403 Unauthorized response is returned, preventing unauthorized access to sensitive information.
  • This implementation assumes that the user's ID is securely passed in the request headers, which should be derived from a trusted authentication process, such as a verified login session or token.
Corgea Logo

Find this vulnerability and fix it with Corgea

Scan your codebase for CWE-862: Missing Authorization and get remediation guidance

Start for free and no credit card needed.