Ejecuta análisis estático (SAST) sobre el código buscando el patrón inseguro en el flujo de datos.
CWE-268 Base Borrador
Privilege Chaining
Privilege chaining occurs when an attacker combines two separate permissions or capabilities, neither of which is dangerous on its own, to perform a harmful action that neither permission should…
Definición
What is CWE-268?
Privilege chaining occurs when an attacker combines two separate permissions or capabilities, neither of which is dangerous on its own, to perform a harmful action that neither permission should individually allow.
This vulnerability is like a security bypass puzzle. A system might correctly enforce that a user cannot directly delete a file or directly write to a system directory. However, if the user can first move a file into that protected directory (using one permission) and then delete any file they own there (using a second permission), they have effectively achieved an unauthorized deletion. The core failure is that the system's security checks evaluate each privilege in isolation, missing the dangerous sequence they enable when used together.
To prevent this, developers must design authorization checks that consider context and history, not just the immediate action. This involves analyzing how privileges can interact over a session or transaction. Implementing mandatory access control (MAC), logging and monitoring for unusual privilege sequences, and adhering to the principle of least privilege are key defenses. Always ask: 'Could these two allowed actions be combined to achieve something we explicitly forbid?'
Impacto en el mundo real
Real-world CVEs caused by CWE-268
-
Chaining of user rights.
-
Gain certain rights via privilege chaining in alternate channel.
-
Application is allowed to assign extra permissions to itself.
-
"operator" user can overwrite usernames and passwords to gain admin privileges.
Cómo lo explotan los atacantes
Ruta del atacante paso a paso
- 1
Identifica una ruta de código que maneje entrada no confiable sin validación.
- 2
Crea un payload que ejercite el comportamiento inseguro — inyección, traversal, overflow o abuso de lógica.
- 3
Envía el payload a través de una solicitud normal y observa la reacción de la aplicación.
- 4
Itera hasta que la respuesta filtre datos, ejecute código del atacante o escale privilegios.
Ejemplo de código vulnerable
Vulnerable Java
This code allows someone with the role of "ADMIN" or "OPERATOR" to reset a user's password. The role of "OPERATOR" is intended to have less privileges than an "ADMIN", but still be able to help users with small issues such as forgotten passwords.
public enum Roles {
ADMIN,OPERATOR,USER,GUEST
}
public void resetPassword(User requestingUser, User user, String password ){
if(isAuthenticated(requestingUser)){
switch(requestingUser.role){
case GUEST:
System.out.println("You are not authorized to perform this command");
break;
case USER:
System.out.println("You are not authorized to perform this command");
break;
default:
setPassword(user,password);
break;
}
}
else{
System.out.println("You must be logged in to perform this command");
}
} Ejemplo de código seguro
Secure pseudo
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
const safe = validateAndEscape(input);
return executeWithGuards(safe);
} What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Lista de prevención
How to prevent CWE-268
- Architecture and Design Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.
- Architecture and Design / Operation Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
- Architecture and Design / Operation Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
Señales de detección
How to detect CWE-268
Ejecuta pruebas dinámicas de seguridad de aplicaciones (DAST) contra el endpoint en vivo.
Vigila los logs en tiempo de ejecución para detectar trazas de excepción inusuales, entradas malformadas o intentos de bypass de autorización.
Revisión de código: marca cualquier código nuevo que maneje entrada desde esta superficie sin usar los helpers validados del framework.
Plexicus detecta automáticamente CWE-268 y abre un PR de corrección en menos de 60 segundos.
Codex Remedium escanea cada commit, identifica esta debilidad concreta y entrega un pull request listo para revisión con el parche. Sin tickets. Sin traspasos.
Preguntas frecuentes ¿Qué es CWE-268?
¿Qué gravedad tiene CWE-268?
¿Qué lenguajes o plataformas se ven afectados por CWE-268?
¿Cómo puedo prevenir CWE-268?
¿Cómo detecta y corrige Plexicus CWE-268?
¿Dónde puedo aprender más sobre CWE-268?
Frequently asked questions
¿Qué es CWE-268?
Privilege chaining occurs when an attacker combines two separate permissions or capabilities, neither of which is dangerous on its own, to perform a harmful action that neither permission should individually allow.
¿Qué gravedad tiene CWE-268?
MITRE califica la probabilidad de explotación como Alta — esta debilidad se explota activamente en la práctica y debe priorizarse para su remediación.
¿Qué lenguajes o plataformas se ven afectados por CWE-268?
MITRE no ha especificado plataformas afectadas para esta CWE — puede aplicar a la mayoría de los stacks de aplicaciones.
¿Cómo puedo prevenir CWE-268?
Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource. Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
¿Cómo detecta y corrige Plexicus CWE-268?
El motor SAST de Plexicus detecta la firma de flujo de datos para CWE-268 en cada commit. Cuando hay coincidencia, nuestro agente Codex Remedium abre un PR de corrección con el código corregido, las pruebas y un resumen de una línea para el revisor.
¿Dónde puedo aprender más sobre CWE-268?
MITRE publica la definición canónica en https://cwe.mitre.org/data/definitions/268.html. También puedes consultar la documentación de OWASP y NIST para guías relacionadas.
Debilidades relacionadas
Weaknesses related to CWE-268
CWE-269 Padre
Improper Privilege Management
This vulnerability occurs when an application fails to correctly manage user permissions, allowing someone to perform actions or access…
CWE-250 Hermano
Execution with Unnecessary Privileges
This vulnerability occurs when software runs with higher permissions than it actually needs to perform its tasks. This excessive privilege…
CWE-266 Hermano
Incorrect Privilege Assignment
This vulnerability occurs when a system mistakenly grants a user, process, or entity a specific permission or privilege they should not…
CWE-267 Hermano
Privilege Defined With Unsafe Actions
This vulnerability occurs when a system grants a user, role, or process a specific permission that can be misused to perform dangerous,…
CWE-270 Hermano
Privilege Context Switching Error
This vulnerability occurs when an application fails to properly manage user permissions while moving between different security contexts,…
CWE-271 Hermano
Privilege Dropping / Lowering Errors
This vulnerability occurs when a system or process fails to reduce its elevated permissions before transferring control of a resource to a…
CWE-274 Hermano
Improper Handling of Insufficient Privileges
This vulnerability occurs when an application fails to properly manage situations where it lacks the necessary permissions to execute an…
CWE-648 Hermano
Incorrect Use of Privileged APIs
This vulnerability occurs when software incorrectly uses functions that require special permissions. Attackers can exploit these mistakes…
Listo cuando tú lo estés
Deja de pagar por desarrollador.
Empieza a cerrar el bucle.
Plexicus es el ASPM nativo de IA que escanea, filtra, corrige, pentestea y explica — de forma autónoma. Desarrolladores ilimitados, repos ilimitados, acciones de IA de uso justo. Nivel gratuito real, €269/mo anual cuando estés listo.