CWE
Home > CWE List > CWE-285 Individual Dictionary Definition (Draft 9)   View the CWE List

CWE-285 Individual Dictionary Definition (Draft 9)

Missing or Inconsistent Access Control
Weakness ID
Status: Draft

285 (Weakness Base)

Description

Summary

The software does not perform access control checks in a consistent manner across all potential execution paths.

Potential Mitigations

For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any information that they are not authorized for by simply requesting direct access to that page. Ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.

Context Notes

For web applications, attackers can issue a request directly to a page (URL) that they may not be authorized to access. If the access control policy is not consistently enforced on every page restricted to authorized users, then an attacker could gain access to and possibly corrupt these resources.

Relationships
NatureTypeIDName
ChildOfWeakness ClassWeakness ClassWeakness Class284Access Control Issues
ChildOfViewView629
ParentOfWeakness ClassWeakness ClassWeakness Class638Design Principle Violation: Not Using Complete Mediation
Source Taxonomies

7 Pernicious Kingdoms - Missing Access Control

Applicable Platforms

All

Related Attack Patterns
CAPEC-IDAttack Pattern Name
1Accessing Functionality Not Properly Constrained by ACLs
13Subverting Environment Variable Values
60Reusing Session IDs (aka Session Replay)
51Poison Web Service Registry
17Accessing, Modifying or Executing Executable Files
45Buffer Overflow via Symbolic Links
39Manipulating Opaque Client-based Data Tokens
76Manipulating Input to File System Calls
77Manipulating User-Controlled Variables
59Session Credential Falsification through Prediction
87Forceful Browsing
Page Last Updated: April 22, 2008