Missing Function Level Access Control
What is the vulnerability?
Web applications typically only show functionality that a user has the need for and rights to use in the UI on screen. For example, if someone works in a hospital, but doesn’t have the rights to view health records, then this functionality is not presented to them. But what if a link to see such records was known to them? Or what if the function to show the health records was in the web page code delivered to their browser, but just hidden in the UI. It’s possible that a user could spoof the URL to invoke the health records display function if they know how to do that, or they could view the HTML and JavaScript code of a page to see how to call the function. If they do this and they can get access to parts of the application that they shouldn’t then this is a case of Missing Function Level Access Controls.
Another possibility to consider is whether a user of a web application can directly browse to a resource that provides access to functionality they shouldn’t see. For example, adding a different User ID number to a URL to gain access to a colleague’s settings page, or changing it to be an admin user ID and getting access to privileged admin functions. If you have been reading our previous OWASP posts you might be thinking how is this vulnerability different from an Insecure Direct Object Reference vulnerability ? The latter type of vulnerability provides direct unauthorised access to data and information. Whereas a Missing Function Level Access Control vulnerability provides unauthorised access to functionality in a web application. Note the subtle difference between these. In most situations the outcome will be the same. Both will provide unauthorised access to data or information that shouldn’t be shown. Often leading to the same consequences such as identity theft of users whose information is exposed, financial loss to both users and the organisation. Also, the organisation that failed to protect the information can experience reputational damage, financial penalties, contractual disadvantages and a loss of trust in their brand and messaging.
How to protect against Missing Function Level Access Control vulnerabilities
All of the advice given in the previous Insecure Direct Object Reference post is also relevant when protecting against Missing Function Level Access Control vulnerabilities. In addition to the advice outlined in the previous post, the points in the list below should be considered in order to help protect against this type of vulnerability.