Authorization & Access Control

AuthorizationAuthZAccess Control

Authorization & Access Control vulnerabilities at a glance

What it is: Flaws that let users act outside their permissions, letting them read, update, or delete resources they shouldn't.
Why it happens: Typically these vulnerabilities occur because there are't correct access limitations for certain resources or an attacker can manipulate their role in some way.
How to fix: Specific fixes will depend on the exact vulnerability, but generally you should closely and restrict access to sensitive sections of a system.

Overview

Authorization ensures users can only access the data and actions allowed by their role or identity. Failures to correctly control access can allow the wrong users to access different resources.

A correct design reads identity from a verified session or token, scopes ORM queries to that identity, and enforces access consistently at a shared policy layer.

sequenceDiagram participant Browser participant App as App Server participant DB Browser->>App: GET /invoices/<victim_id> App->>DB: SELECT * FROM invoices WHERE id=<victim_id> DB-->>App: Victim record App-->>Browser: 200 OK (victim data) Note over App: Missing: Scope by current_user
A potential flow for a Authorization & Access Control exploit

Where it occurs

Common root causes include unscoped ORM queries, unprotected routes missing auth middleware, insufficient validated in resource fetches, and misuse of user identifiers from request bodies.

Impact

Authorization failures lead to data exposure across users or tenants, potential privilege escalation (horizontal or vertical), and financial loss or compliance violations.

Prevention

The exact prevention method will vary for each vulnerability, but generally you need to ensure you correctly know who the user is and have correctly scoped permissions to different resources.

Specific Vulnerabilities

Explore specific vulnerability types within this category:

Broken Access Control

Authorization is missing or incorrect, allowing attackers to perform actions or access data they should not.

Authorization Flaws Access Control Misconfiguration ACL Bypass
6 code examples
Learn more →

Insecure Direct Object Reference (IDOR)

IDOR occurs when an application exposes a reference to an internal object and fails to check whether the requesting user is authorized to access that object.

Object Level Authorization Insecure Object Reference
6 code examples
Learn more →

Privilege Escalation

Vulnerabilities that allow users to gain higher privileges than intended, such as regular users performing admin actions or accessing restricted functionality.

Priv Esc Vertical Access Control Role Bypass
2 code examples
Learn more →

Tenant-Aware Caching Bugs

Caching implementations that fail to properly isolate cached data by tenant, causing sensitive data from one tenant to be served to another tenant in multi-tenant SaaS applications.

Cache Poisoning Multi-Tenant Caching Cross-Tenant Cache Leakage
2 code examples
Learn more →

Tenant Isolation Failures

Failures in multi-tenant SaaS applications that allow data or operations from one tenant to leak into another tenant's context, compromising data isolation.

Multi-Tenancy Tenant Isolation Cross-Tenant Access
2 code examples
Learn more →

Detect These Vulnerabilities in Your Code

Sourcery automatically identifies authorization & access control and related vulnerabilities in your codebase.

Scan Your Code for Free