The next vulnerability to look at from the OWASP Top 10 List of Web Vulnerabilities is #7, Missing Function Level Access Control. This vulnerability is easy to understand, but is important to acknowledge because of its abundance in web applications. At Clearent, we have always paid close attention to function level access control because it is a critical element of the reporting and administration of our payments platform.
Applications that have missing function level access control allow an end user to simply enter a given URL or manually call a function that shouldn’t be exposed to them in order to access data or functionality that has not been explicitly assigned. Sometimes this vulnerability is manifested by data or application navigation becoming exposed to a user that shouldn’t see it, but more often it is manifested by not performing a security check on individual function calls. One of the easiest ways to test for this vulnerability is to log into an application as a user with restricted privileges, then type in the URL of a resource that requires more privilege, and see what happens. If the restricted resource is brought up, the application has this vulnerability. If not, the application is most likely doing the right things.