role-based access control Archives

Ensuring Trust Through Correct Authorisation: A Comprehensive Examination of CWE-863

23 March 202523 March 2025 by Krishna

CWE-863: Incorrect Authorisation occurs when an application fails to enforce correct authorisation measures, allowing unauthorised users or processes to access resources, perform operations, or retrieve data that should be off-limits. It is sometimes conflated with authentication flaws, but the essence of CWE-863 lies in improper or missing checks that would otherwise confirm if a user has the necessary permissions to perform a specific action.
From a technical standpoint, one might imagine an application employing robust identity verification (authentication) only to overlook critical checks about what a user is allowed to do once logged in (authorisation). This oversight can be the gateway to data leaks, privilege escalation, or even sabotage of core business processes.

2024 CWE Top 25 Most Dangerous Software Weaknesses: Improper Privilege Management (CWE-269)

20 March 2025 by Krishna

Improper Privilege Management, as classified under CWE-269, occurs when a software application improperly manages or enforces access control policies, allowing unauthorised users to perform restricted actions. This weakness can lead to severe consequences, such as data breaches, privilege escalation, and compromise of system integrity.

2024 CWE Top 25 Most Dangerous Software Weaknesses: Improper Authentication (CWE-287)

19 March 2025 by Krishna

Improper Authentication occurs when a software application fails to properly verify the identity of a user or system attempting to gain access. This weakness enables unauthorised entities to bypass security measures and gain access to sensitive data or system functionalities.

2024 CWE Top 25 Most Dangerous Software Weaknesses: Missing Authorisation (CWE-862)

14 March 2025 by Krishna

Missing Authorisation, identified by CWE-862, refers to a software weakness where an application fails to verify if a user is permitted to access specific resources or perform certain actions. While authentication establishes identity, authorisation ensures that the authenticated user has the necessary permissions. When authorisation is missing, attackers can exploit this oversight to access sensitive data, perform unauthorised transactions, or disrupt services.

OWASP Top 10 API Security Risks – 2023: API6:2023 – Unrestricted Access to Sensitive Business Flows

17 February 202517 February 2025 by Krishna

APIs enable various business flows, such as purchasing tickets, booking reservations, or posting comments. However, these flows can become liabilities if they are exposed without sufficient protections. *Unrestricted Access to Sensitive Business Flows* refers to a scenario where APIs fail to:

1. Limit access to sensitive operations.
2. Implement controls to prevent abuse, particularly by automated systems (e.g., bots).
3. Consider the broader business implications of such unrestricted access.

For instance, an API for purchasing event tickets might allow unlimited purchases by the same user or bot, leading to scalping and significant financial losses for legitimate customers.