Category: OWASP Top Ten 2017 Category A5 - Broken Access Control
Incomplete
Summary
Weaknesses in this category are related to the A5 category in the OWASP Top Ten 2017.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | This vulnerability occurs when an application builds a file path using user input but fails to properly validate it, allowing an attacker to break out of the intended directory and access files or folders anywhere on the server. |
| CWE-284 | Improper Access Control | The software fails to properly limit who can access a resource, allowing unauthorized users or systems to interact with it. |
| CWE-285 | Improper Authorization | This vulnerability occurs when an application fails to properly verify whether a user has permission to access specific data or perform certain actions before allowing the request. |
| CWE-425 | Direct Request ('Forced Browsing') | This vulnerability occurs when a web application fails to verify user permissions for every protected page, file, or API endpoint, allowing attackers to access them directly. |
| CWE-639 | Authorization Bypass Through User-Controlled Key | This vulnerability occurs when an application's authorization system fails to verify that a user is allowed to access specific data before retrieving it, allowing an attacker to access another user's information by manipulating an identifier they control. |
| CWE-1026 | Weaknesses in OWASP Top Ten (2017) | CWE nodes in this view (graph) are associated with the OWASP Top Ten, as released in 2017. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.