Often, restrictions on what an authenticated user is allowed to do are either missing or improperly implemented.
An attacker could exploit these weaknesses to access unauthorized functionalities and data they are not entitled to access.
For example, it might be possible to access other users' accounts, view confidential files, modify other users' data, or even change their access rights.
| OWASP Top 10 Application Security Risks - 2017 | Reference |
|---|---|
| A5:2017-Broken Access Control | OWASP |
Once the user is identified, it is necessary to align the application with Business Logic and the Need To Know principle.
Every single action must consider:
1. the calling user; 2. the accessed data; 3. the type of operation.
It is important to consider not only the user's role but also whether the user owns the data and, secondly, the type of action concerning the data.Francesco Ongaro
