Automated static analysis is useful for detecting commonly-used idioms for authorization. A tool may be able to analyze related configuration files, such as .htaccess in Apache web servers, or detect the usage of commonly-used authorization libraries. Generally, automated static analysis tools have difficulty detecting custom authorization schemes. Even if they can be customized to recognize these schemes, they might not be able to tell whether the scheme correctly performs the authorization in a way that cannot be bypassed or subverted by an attacker.
CWE-863 Classe Incomplet
Incorrect Authorization
This vulnerability occurs when an application checks if a user is allowed to perform an action or access data, but the check is flawed or incomplete, allowing unauthorized access.
Définition
What is CWE-863?
This vulnerability occurs when an application checks if a user is allowed to perform an action or access data, but the check is flawed or incomplete, allowing unauthorized access.
Incorrect authorization happens when the logic that verifies user permissions contains mistakes. For example, the app might check a user's role but forget to verify if they own the specific data they're trying to modify, leading to horizontal privilege escalation. It can also stem from missing checks entirely for certain application paths, or from relying on client-side controls that attackers can easily bypass.
These flaws are often subtle and context-dependent, making them hard to catch in code reviews. While SAST tools can identify missing authorization patterns, Plexicus uses AI to analyze the specific business logic and suggest precise code fixes, helping developers close these security gaps efficiently and prevent data breaches.
Impact réel
Real-world CVEs caused by CWE-863
-
collaboration platform allows attacker to access an AI bot by using a plugin to set a critical property
-
LLM application development platform allows non-admin users to enable or disable apps using certain API endpoints
-
Chain: A microservice integration and management platform compares the hostname in the HTTP Host header in a case-sensitive way (CWE-178, CWE-1289), allowing bypass of the authorization policy (CWE-863) using a hostname with mixed case or other variations.
-
Chain: sscanf() call is used to check if a username and group exists, but the return value of sscanf() call is not checked (CWE-252), causing an uninitialized variable to be checked (CWE-457), returning success to allow authorization bypass for executing a privileged (CWE-863).
-
Gateway uses default "Allow" configuration for its authorization settings.
-
Chain: product does not properly interpret a configuration option for a system group, allowing users to gain privileges.
-
Chain: SNMP product does not properly parse a configuration option for which hosts are allowed to connect, allowing unauthorized IP addresses to connect.
-
Chain: reliance on client-side security (CWE-602) allows attackers to bypass authorization using a custom client.
Comment les attaquants l'exploitent
Parcours de l'attaquant étape par étape
- 1
Identifier un chemin de code qui traite des entrées non fiables sans validation.
- 2
Élaborer une charge utile qui exploite le comportement non sécurisé — injection, traversal, débordement ou abus de logique.
- 3
Délivrer la charge utile via une requête normale et observer la réaction de l'application.
- 4
Itérer jusqu'à ce que la réponse divulgue des données, exécute le code de l'attaquant ou élève les privilèges.
Exemple de code vulnérable
Vulnerable PHP
The following code could be for a medical records application. It displays a record to already authenticated users, confirming the user's authorization using a value stored in a cookie.
$role = $_COOKIES['role'];
if (!$role) {
$role = getRole('user');
if ($role) {
// save the cookie to send out in future responses
setcookie("role", $role, time()+60*60*2);
}
else{
ShowLoginScreen();
die("\n");
}
}
if ($role == 'Reader') {
DisplayMedicalHistory($_POST['patient_ID']);
}
else{
die("You are not Authorized to view this record\n");
} Exemple de code sécurisé
Secure pseudo
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
const safe = validateAndEscape(input);
return executeWithGuards(safe);
} What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Liste de contrôle de prévention
How to prevent CWE-863
- Architecture and Design Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
- Architecture and Design Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
- Architecture and Design Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
- Architecture and Design For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page. One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
- System Configuration / Installation Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
Signaux de détection
How to detect CWE-863
Automated dynamic analysis may not be able to find interfaces that are protected by authorization checks, even if those checks contain weaknesses.
This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of custom authorization mechanisms.
According to SOAR [REF-1479], the following detection techniques may be useful: ``` Cost effective for partial coverage: ``` Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies
According to SOAR [REF-1479], the following detection techniques may be useful: ``` Cost effective for partial coverage: ``` Web Application Scanner Web Services Scanner Database Scanners
According to SOAR [REF-1479], the following detection techniques may be useful: ``` Cost effective for partial coverage: ``` Host Application Interface Scanner Fuzz Tester Framework-based Fuzzer Forced Path Execution Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious
Plexicus détecte automatiquement CWE-863 et ouvre une PR de correction en moins de 60 secondes.
Codex Remedium analyse chaque commit, identifie cette faiblesse précise et livre une pull request prête à être relue avec le correctif. Pas de tickets. Pas de transferts.
Questions fréquentes Qu'est-ce que CWE-863 ?
Quelle est la gravité de CWE-863 ?
Quels langages ou plateformes sont affectés par CWE-863 ?
Comment puis-je prévenir CWE-863 ?
Comment Plexicus détecte et corrige CWE-863 ?
Où puis-je en savoir plus sur CWE-863 ?
Frequently asked questions
Qu'est-ce que CWE-863 ?
This vulnerability occurs when an application checks if a user is allowed to perform an action or access data, but the check is flawed or incomplete, allowing unauthorized access.
Quelle est la gravité de CWE-863 ?
MITRE évalue la probabilité d'exploitation comme Élevée — cette faiblesse est activement exploitée et doit être priorisée pour la remédiation.
Quels langages ou plateformes sont affectés par CWE-863 ?
MITRE lists the following affected platforms: Web Server, Database Server.
Comment puis-je prévenir CWE-863 ?
Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role. Ensure that access control checks are performed related to the business logic. These…
Comment Plexicus détecte et corrige CWE-863 ?
Le moteur SAST de Plexicus reconnaît la signature de flux de données de CWE-863 à chaque commit. Lorsqu'une correspondance est trouvée, notre agent Codex Remedium ouvre une PR de correction avec le code corrigé, les tests et un résumé d'une ligne pour le relecteur.
Où puis-je en savoir plus sur CWE-863 ?
MITRE publie la définition canonique à https://cwe.mitre.org/data/definitions/863.html. Vous pouvez également consulter la documentation OWASP et NIST pour des conseils adjacents.
Faiblesses associées
Weaknesses related to CWE-863
CWE-285 Parent
Improper Authorization
This vulnerability occurs when an application fails to properly verify whether a user has permission to access specific data or perform…
CWE-1230 Frère
Exposure of Sensitive Information Through Metadata
This vulnerability occurs when an application protects the primary source of sensitive data but fails to secure the metadata derived from…
CWE-1256 Frère
Improper Restriction of Software Interfaces to Hardware Features
This vulnerability occurs when a system's software interfaces to hardware features—like power, clock, or performance management—are not…
CWE-1297 Frère
Unprotected Confidential Information on Device is Accessible by OSAT Vendors
This vulnerability occurs when a semiconductor chip does not properly secure sensitive data, making it accessible to third-party…
CWE-1328 Frère
Security Version Number Mutable to Older Versions
This vulnerability occurs when a hardware system's security version number can be changed, allowing an attacker to downgrade or roll back…
CWE-552 Frère
Files or Directories Accessible to External Parties
This vulnerability occurs when an application exposes files or directories to users who shouldn't have access to them.
CWE-732 Frère
Incorrect Permission Assignment for Critical Resource
This vulnerability occurs when a system grants overly permissive access to a sensitive resource, allowing unauthorized users or processes…
CWE-862 Frère
Missing Authorization
This vulnerability occurs when an application fails to verify whether a user has permission to access specific data or execute certain…
CWE-926 Frère
Improper Export of Android Application Components
This vulnerability occurs when an Android app makes a component (like an Activity, Service, or Content Provider) available to other apps…
Ressources
Further reading
- MITRE — CWE-863 officiel https://cwe.mitre.org/data/definitions/863.html
- Role Based Access Control and Role Based Security https://csrc.nist.gov/projects/role-based-access-control
- Writing Secure Code https://www.microsoftpressstore.com/store/writing-secure-code-9780735617223
- Top 25 Series - Rank 5 - Improper Access Control (Authorization) https://www.sans.org/blog/top-25-series-rank-5-improper-access-control-authorization
- Authentication using JAAS https://javaranch.com/journal/2008/04/authentication-using-JAAS.html
- OWASP Enterprise Security API (ESAPI) Project https://owasp.org/www-project-enterprise-security-api/
Prêt quand vous l'êtes
Arrêtez de payer par développeur.
Commencez à fermer la boucle.
Plexicus est l'ASPM natif IA qui scanne, filtre, corrige, penteste et explique — de façon autonome. Développeurs illimités, dépôts illimités, actions IA à usage équitable. Vrai niveau gratuit, €269/mo annuel quand vous êtes prêt.