The UI Performs the Wrong Action
This vulnerability occurs when a user interface (UI) element or command performs a different, unintended action than what the user requested, potentially leading to security bypass, data corruption, or unexpected system behavior.
At its core, this flaw is a mismatch between user intent and system execution. A user clicks a button, selects a menu option, or submits a form expecting a specific outcome, but the underlying code triggers a completely different—and often more privileged or dangerous—action. This can happen due to incorrect event handlers, misconfigured UI components, or logic errors that misinterpret user input. The result isn't just a bug; it's a potential security gateway where a seemingly benign action (like 'view profile') could secretly perform an administrative function (like 'delete user'). For developers, prevention starts with rigorous UI/function mapping and code reviews. Ensure every UI control explicitly and exclusively calls its intended backend function. Implement strong input validation and context checks *before* executing any action, not just for data but for the action's intent itself. Automated testing should include verifying that UI actions produce the correct server-side events under all user permission levels. Treat the UI not just as a presentation layer, but as a critical security boundary where user requests must be accurately translated and authorized.
Impact: Quality DegradationVaries by Context
- PLOVER