Access Control Issue - Improper Authorization

Insufficient Authorization results when an application does not perform adequate authorization checks to ensure that the user is performing a function or accessing data in a manner consistent with the security policy. Authorization procedures should enforce what a user, service or application is permitted to do. When a user is authenticated to a web site, it does not necessarily mean that the user should have full access to all content and functionality.

Insufficient Function Authorization:

Many applications grant different application functionality to different users. A news site will allows users to view news stories, but not publish them. An accounting system will have different permissions for an Accounts Payable clerk and an Accounts Receivable clerk. Insufficient Function Authorization happens when an application does not prevent users from accessing application functionality in violation of security policy.

A very visible example was the 2005 hack of the Harvard Business School’s application process. An authorization failure allowed users to view their own data when they should not have been allowed to access that part of the web site.

Insufficient Data Authorization:

Many applications expose underlying data identifiers in a URL. For example, when accessing a medical record on a system one might have a URL such as:

https://example.com/RecordView?id=12345

If the application does not check that the authenticated user ID has read rights, then it could display data to the user that the user should not see.

Insufficient Data Authorization is more common than Insufficient Function Authorization because programmers generally have complete knowledge of application functionality, but do not always have a complete mapping of all data that the application will access. Programmers often have tight control over function authorization mechanisms, but rely on other systems such as databases to perform data authorization.

Improper authorization allows authenticated users to access functions or data beyond their permitted privileges. Attackers exploit this by manipulating URL parameters, resource identifiers, or API endpoints to access other users' data or elevated functionality. Function-level attacks involve accessing administrative or privileged features by directly navigating to their URLs. Data-level attacks modify identifiers in requests to retrieve unauthorized records, as authorization checks fail to verify ownership or access rights. This enables horizontal privilege escalation (accessing peer data) and vertical escalation (accessing higher-privilege functions).

Implement authorization checks on every request that accesses functions or data. Enforce the principle of least privilege by granting users only the minimum permissions required for their role. Use a centralized authorization mechanism that verifies user permissions against security policies before allowing access. For data access, validate that the authenticated user has rights to the specific resource being requested, not just authentication status. Implement proper trust zone separation and compartmentalization to enforce privilege boundaries throughout the system architecture.