2024 CWE Top 25 Most Dangerous Software Weaknesses: Missing Authorisation (CWE-862)

2024 CWE Top 25 Most Dangerous Software Weaknesses: Missing Authorisation (CWE-862)

Software vulnerabilities have consistently posed significant challenges in the digital landscape, and the Common Weakness Enumeration (CWE) initiative provides a structured approach to identifying, categorising, and addressing them. Among the 2024 CWE Top 25 Most Dangerous Software Weaknesses, Missing Authorisation (CWE-862) ranks high due to its potential to cause severe business and operational repercussions. This article delves into CWE-862, offering an in-depth exploration for software developers and penetration testers, while highlighting strategies to mitigate this critical issue.

Understanding Missing Authorisation (CWE-862)

What is Missing Authorisation?

Missing Authorisation, identified by CWE-862, refers to a software weakness where an application fails to verify if a user is permitted to access specific resources or perform certain actions. While authentication establishes identity, authorisation ensures that the authenticated user has the necessary permissions. When authorisation is missing, attackers can exploit this oversight to access sensitive data, perform unauthorised transactions, or disrupt services.

How Does It Differ from Authentication Issues?

It’s essential to distinguish between authentication and authorisation:

• Authentication confirms a user’s identity (e.g., using credentials like usernames and passwords).
• Authorisation determines the actions or resources the user is allowed to access.

An application can authenticate a user correctly but still suffer from CWE-862 if it fails to implement proper authorisation checks.

Why CWE-862 is Among the Most Dangerous Weaknesses

Business Impact

Missing authorisation can lead to catastrophic outcomes for businesses, such as:

1. Data Breaches: Unauthorised access to sensitive information, including customer data, financial records, or intellectual property.
2. Regulatory Non-Compliance: Violations of data protection laws like GDPR or HIPAA due to mishandled access control.
3. Financial Losses: Fraudulent transactions and system misuse impacting revenue streams.
4. Brand Erosion: Loss of customer trust following security incidents.

Prevalence in Modern Applications

In the era of APIs, microservices, and cloud-based applications, the complexity of ensuring robust authorisation has grown. The following contribute to the prevalence of CWE-862:

• Overlooked Edge Cases: Developers may assume users will only access resources within their scope.
• Weak API Gatekeeping: Inadequate access control in APIs exposes them to unauthorised access.
• Legacy Systems: Older systems may lack the capability to implement fine-grained authorisation.

Real-World Examples of CWE-862 Exploitation

Example 1: Broken Access Controls in APIs

In 2019, a fintech company’s mobile API allowed authenticated users to manipulate HTTP requests, granting them access to other users’ financial data. The lack of authorisation checks exposed sensitive information and violated compliance requirements.

Example 2: Privilege Escalation in Cloud Platforms

A misconfigured cloud application permitted authenticated users to elevate their privileges, granting them administrative access. This flaw resulted in unauthorised changes to the infrastructure, leading to data leaks and service disruptions.

Real-World Incidents of CWE-862 Exploitation

Understanding the practical implications of Missing Authorisation (CWE-862) becomes clearer when examining real-world incidents where this vulnerability has been exploited. These cases underline the critical need for robust authorisation mechanisms in software systems.

Incident 1: Facebook Photo API Breach (2018)

Overview:

A bug in Facebook’s photo API allowed third-party apps to access users’ private photos without proper authorisation. Over 6.8 million users were affected, and sensitive personal data was exposed.

Details:

• The API did not enforce sufficient authorisation checks, granting access to private photos that users had uploaded but not shared.
• Exploiters could access these images by leveraging apps they had authorised to access only public photos.

Impact:

• Massive loss of user trust.
• Regulatory scrutiny under GDPR, leading to potential fines.
• A tarnished reputation and increased scepticism toward Facebook’s data protection measures.

Lessons Learned:

• Ensure all APIs implement strict authorisation checks.
• Conduct thorough security testing, especially for applications handling sensitive user data.

Incident 2: Uber Data Breach (2016)

Overview:

An unauthorised individual accessed Uber’s GitHub repository, which contained AWS credentials. Using these credentials, the attacker accessed sensitive customer and driver data stored in Uber’s cloud environment.

Details:

• Uber’s backend systems lacked adequate authorisation checks, allowing an attacker to leverage stolen credentials.
• The breach exposed names, email addresses, and phone numbers of 57 million users.

Impact:

• Financial losses due to settlements and regulatory penalties.
• Significant reputational damage.
• Increased scrutiny over Uber’s data security practices.

Lessons Learned:

• Authorisation should not rely solely on the secrecy of credentials; systems should continuously validate permissions for sensitive actions.
• Regularly audit and rotate credentials to reduce the impact of compromised keys.

Incident 3: Equifax Breach (2017)

Overview:

Equifax suffered a massive data breach affecting over 147 million consumers. While the breach primarily resulted from unpatched vulnerabilities in a web application, poor authorisation mechanisms compounded the issue.

Details:

• Attackers gained access to sensitive data through unprotected APIs.
• Once inside, they navigated through systems without encountering proper authorisation controls, allowing them to extract extensive data.

Impact:

• Exposure of names, social security numbers, birth dates, and more.
• Equifax faced lawsuits, regulatory penalties, and long-lasting reputational damage.

Lessons Learned:

• Implement layered security with stringent authorisation controls at every system interface.
• Regularly audit APIs and backend systems for unauthorised access possibilities.

Incident 4: Twitter API Exploit (2020)

Overview:

A vulnerability in Twitter’s API allowed attackers to exploit authorised accounts and match phone numbers with user accounts. This was a result of insufficient authorisation checks.

Details:

• Attackers used large-scale brute force techniques to exploit a missing rate limit in the API.
• The lack of effective authorisation mechanisms allowed automated exploitation of the API, leading to the exposure of private user information.

Impact:

• Compromised user anonymity.
• Erosion of trust among users and developers relying on the API for legitimate purposes.

Lessons Learned:

• Enforce rate limiting and monitoring on APIs.
• Ensure APIs validate the permissions of every request, even from authenticated users.

Incident 5: Cloud Storage Misconfiguration (2019)

Overview:

Misconfigured cloud storage buckets frequently lack proper authorisation, exposing sensitive data. One notable incident involved a global telecommunications provider, where customer records and financial data were publicly accessible.

Details:

• Access permissions were set incorrectly, allowing unauthorised users to view and download sensitive files.
• No authorisation mechanism existed to prevent unauthorised browsing of storage directories.

Impact:

• Exposure of millions of customer records.
• Regulatory scrutiny and penalties under GDPR.
• Long-term reputational harm.

Lessons Learned:

• Regularly audit cloud configurations for adherence to least privilege principles.
• Implement strong access controls and ensure default configurations are secure.

Incident 6: GitLab Privilege Escalation Bug (2021)

Overview:

A vulnerability in GitLab allowed authenticated users to escalate their privileges and access administrative functionalities without proper authorisation.

Details:

• The application failed to verify user roles when accessing certain endpoints.
• Attackers exploited this oversight to gain administrative control over GitLab instances.

Impact:

• Exposed sensitive project data, source code, and intellectual property.
• Put organisations at risk of intellectual property theft and operational disruption.

Lessons Learned:

• Always enforce role-based access controls (RBAC) at every endpoint.
• Continuously test applications for privilege escalation vulnerabilities.

Incident 7: Schneider Electric’s EcoStruxure IT Gateway Vulnerability

Overview:

Schneider Electric’s EcoStruxure IT Gateway software faced a critical flaw, assigned CVE-2024-10575, due to missing authorisation checks. This weakness allowed unauthorised users to gain access to the system, potentially compromising connected devices and operational environments.

Details:

• Affected Versions: 1.21.0.6 through 1.23.0.4.
• Impact: The vulnerability permitted unauthorised access, increasing the risk of operational disruptions, data theft, and unauthorised control of critical systems.
• Remediation: Schneider Electric released version 1.23.1.10 to address the issue. Users were urged to enable automatic updates to ensure they received timely patches.

Lessons Learned:

• Automatic updates are crucial for rapid remediation of vulnerabilities.
• Rigorous authorisation checks are essential for protecting critical infrastructure from unauthorised access.

Incident 8. CleanTalk WordPress Plugin Exploit

Overview:

The widely used Spam Protection, Anti-Spam, FireWall by CleanTalk WordPress plugin contained a missing authorisation vulnerability, identified as CVE-2024-10542. This flaw could allow unauthenticated attackers to install and activate arbitrary plugins.

Details:

• Cause: Reverse DNS spoofing was leveraged to bypass authorisation mechanisms.
• Affected Versions: All versions up to and including 6.43.2.
• Impact: Attackers could escalate their control over websites by combining this vulnerability with others, potentially executing remote code or injecting malicious plugins.
• Remediation: The developers advised users to update to the latest version to mitigate risks.

Lessons Learned:

• Even widely used and trusted plugins can contain vulnerabilities, underscoring the importance of regular updates.
• Developers must implement thorough authorisation checks for critical operations like plugin installations.

Incident 9. SAP Enable Now Unauthorized Access

Overview:

SAP Enable Now, a tool used by organisations to create and manage training content, was found to have a missing authorisation vulnerability (CVE-2024-39596). This flaw allowed unauthorised access to sensitive data and actions within the system.

Details:

• Impact: The vulnerability posed a risk to enterprise data security, as attackers could manipulate or steal sensitive training materials and user information.
• Remediation: SAP released security patches to address the flaw, urging organisations to implement updates promptly.

Lessons Learned:

• Authorisation weaknesses in enterprise tools can have cascading effects on organisational security.
• Regular patch management and vulnerability assessments are critical for enterprise software users.

Key Takeaways from These Incidents

1. Criticality of Regular Updates:
   • In each case, timely updates and patches played a pivotal role in mitigating the risks.
   • Organisations must prioritise keeping their software and plugins up to date.
2. Importance of Testing:
   • Security testing during development and post-deployment is crucial to identify and address vulnerabilities like missing authorisation checks.
3. Robust Monitoring and Alerts:
   • Real-time monitoring can detect and prevent unauthorised access attempts, minimising damage in the event of a vulnerability.
4. Education and Awareness:
   • Developers and users alike must understand the importance of implementing and adhering to strict authorisation protocols to prevent exploitation.
5. API Security is Critical: APIs often serve as gateways to sensitive systems, making robust authorisation indispensable.
6. Comprehensive Security Testing: Regular penetration testing can identify potential authorisation flaws before attackers exploit them.
7. Layered Defence Mechanisms: A multi-layered approach to security ensures that even if one mechanism fails, others can compensate.
8. Monitoring and Response: Real-time monitoring and logging can help detect unauthorised access attempts early, minimising potential damage.

These real-world examples reinforce the importance of addressing CWE-862 comprehensively. By learning from these incidents, software developers and penetration testers can better prepare to mitigate this pervasive and dangerous weakness.

How to Identify Missing Authorisation Vulnerabilities

For Software Developers

1. Static Code Analysis: Use tools like SonarQube or Checkmarx to identify missing or improper access control in code.
2. Access Control Matrix: Define a matrix mapping roles to permissions and validate its implementation rigorously.
3. Test Cases for Negative Scenarios: Develop test cases where unauthorised users attempt to access restricted resources.

For Penetration Testers

1. Tampering with HTTP Requests: Manipulate parameters like user_id or account_number in APIs to identify unauthorised access vulnerabilities.
2. Role Manipulation Testing: Test if lower-privileged accounts can perform administrative actions.
3. Tools for Testing: Leverage tools such as OWASP ZAP or Burp Suite to analyse and exploit potential weaknesses.

Best Practices for Mitigating CWE-862

Implement Robust Access Controls

1. Role-Based Access Control (RBAC): Assign permissions based on user roles, ensuring minimal privilege principles.
2. Attribute-Based Access Control (ABAC): Incorporate context, such as location, time, or device, for granting access.
3. Policy Enforcement Points (PEPs): Centralise authorisation decisions using middleware or access control gateways.

Secure Development Practices

1. Shift Left Security: Integrate security into the early stages of the software development lifecycle (SDLC).
2. Secure Coding Standards: Adhere to standards such as OWASP Secure Coding Practices.
3. Regular Code Reviews: Conduct peer reviews focusing on access control implementations.

Continuous Monitoring and Auditing

1. Logging and Monitoring: Log all access attempts and monitor for anomalies.
2. Regular Audits: Conduct periodic audits of access control policies and their implementation.
3. Real-Time Alerts: Use SIEM tools to detect and respond to unauthorised access attempts promptly.

Frameworks and Tools for Authorisation

OAuth 2.0

Widely used for delegated access in APIs, OAuth 2.0 ensures that users only access resources they’ve been granted permission to.

Open Policy Agent (OPA)

OPA is an open-source policy engine enabling fine-grained authorisation in microservices architectures.

JWT (JSON Web Tokens)

JWTs are often used for stateless authorisation, carrying user claims securely between systems.

Future Trends and Challenges

AI-Powered Threats

Attackers are leveraging AI to exploit vulnerabilities faster. Counteracting this requires the adoption of AI-driven defence mechanisms.

Zero Trust Architecture

A shift towards Zero Trust, where no entity is inherently trusted, emphasises the need for stringent authorisation mechanisms at every layer.

Penetration Testing CWE-862: A Comprehensive Guide

Penetration testing for CWE-862 (Missing Authorisation) focuses on identifying gaps in authorisation controls that attackers could exploit to gain unauthorised access to sensitive data, perform restricted actions, or escalate privileges. This guide outlines a systematic approach for penetration testers to effectively uncover and assess CWE-862 vulnerabilities.

Understanding the Scope of CWE-862

Missing authorisation occurs when a system fails to validate whether an authenticated user has the necessary permissions to perform specific actions or access particular resources. Penetration testers must assess:

• Role-Based Access Control (RBAC): Validate if different user roles are restricted to their assigned permissions.
• Object-Level Authorisation: Check if access to resources (e.g., files, records, or APIs) is appropriately enforced.
• Horizontal Privilege Escalation: Determine if a user can access another user’s data at the same privilege level.
• Vertical Privilege Escalation: Test if a lower-privileged user can perform administrative actions.

Penetration Testing Methodology for CWE-862

1. Reconnaissance and Information Gathering

• Understand Application Functionality: Map out workflows, roles, and access requirements.
• Identify Entry Points: Determine endpoints, forms, or functionalities where authorisation checks might be applied.
• Gather User Roles and Permissions: Study the roles implemented and the associated permissions, including user roles, admin roles, and special privileges.

2. Test Case Design

Develop test cases tailored to the application’s context. Examples include:

• Access Restricted Resources: Attempt to access resources not meant for the current role or user.
• Tamper with Role Parameters: Modify parameters in API requests, such as user_id, role, or account_id.
• Simulate Privilege Escalation: Use a lower-privileged account to access administrative or sensitive functionalities.
• Check Missing Object Restrictions: Verify if unauthorised users can access or manipulate database objects or records.

3. Tools and Techniques

Penetration testers can leverage the following tools and techniques to uncover CWE-862 vulnerabilities:

Manual Testing Techniques

• Tamper Parameters in HTTP Requests:
  • Use tools like Burp Suite or OWASP ZAP to intercept and modify requests.
  • Check if changing a user_id or similar parameter grants access to another user’s resources.
• Test for Exposed APIs:
  • Directly interact with APIs and observe responses for unauthorised actions.
  • Look for endpoints with incomplete access control mechanisms.

Automated Tools

• Access Control Testing:
  • Use scanners like Acunetix, Netsparker, or OWASP ZAP to identify missing authorisation checks.
• Static Application Security Testing (SAST):
  • Tools like Checkmarx, SonarQube, or Fortify can identify authorisation issues in the code.
• Dynamic Application Security Testing (DAST):
  • Tools like AppScan or Veracode simulate real-world attacks to detect CWE-862 vulnerabilities.

4. Practical Examples

Horizontal Privilege Escalation Test:

• Scenario: A user with access to their own account data attempts to access another user’s data.
• Test: Modify the user_id parameter in API requests or URL paths.
• Result: If data belonging to another user is accessible, the application lacks proper authorisation checks.

Vertical Privilege Escalation Test:

• Scenario: A regular user tries to perform administrative actions, such as deleting another user or modifying sensitive configurations.
• Test: Submit requests for admin-only functionalities and observe the server’s response.
• Result: If admin functionalities are accessible, the application is vulnerable to privilege escalation.

Missing Object Authorisation Test:

• Scenario: A user tries to access a file, record, or object that should be restricted.
• Test: Enumerate object IDs and attempt to retrieve or modify objects without sufficient permissions.
• Result: If objects not owned by the user are accessible, authorisation is improperly enforced.

5. Reporting CWE-862 Findings

Penetration testers must provide actionable reports detailing the vulnerabilities discovered, their potential impacts, and remediation strategies. A standard report includes:

• Issue Description: Detail the missing authorisation flaw.
• Steps to Reproduce: Provide a step-by-step guide for reproducing the vulnerability.
• Risk Assessment: Include a risk score using frameworks like OWASP Risk Rating or CVSS.
• Remediation Recommendations: Suggest fixes such as implementing proper role-based access control, policy enforcement, or logging mechanisms.

Remediation Recommendations for CWE-862

For Developers

1. Implement Role-Based Access Control (RBAC):
   • Ensure every role has predefined permissions, and these permissions are strictly enforced.
2. Object-Level Authorisation:
   • Validate access to resources on a per-user basis, ensuring ownership or permissions align with the access attempt.
3. Centralised Policy Management:
   • Use frameworks like Open Policy Agent (OPA) or libraries in your language of choice to enforce consistent authorisation policies.

For Organisations

1. Conduct Regular Audits:
   • Periodically review access control mechanisms for potential gaps.
2. Invest in Secure Development Training:
   • Train developers on the importance of authentication and authorisation in secure coding practices.
3. Use Penetration Testing Services:
   • Engage professional penetration testers regularly to assess and address vulnerabilities proactively.

CWE-862 vulnerabilities can have severe consequences, including data breaches, financial loss, and reputational damage. For penetration testers, uncovering these vulnerabilities requires a combination of manual exploration, automated tools, and a deep understanding of the target application. By prioritising thorough testing, effective reporting, and collaborative remediation, organisations can significantly reduce the risks posed by missing authorisation weaknesses.

Final Thoughts

CWE-862—Missing Authorisation—is a formidable challenge for software developers and penetration testers. Its ramifications extend beyond technical domains, affecting business credibility, compliance, and financial stability. By adopting best practices, leveraging modern tools, and fostering a culture of security, organisations can mitigate the risks posed by this weakness.

Investing in robust authorisation mechanisms is not merely a technical necessity; it is a strategic imperative to safeguard digital assets in an increasingly interconnected world.