Executar análise estática (SAST) na base de código à procura do padrão inseguro no fluxo de dados.
CWE-268 Base Rascunho
Privilege Chaining
Privilege chaining occurs when an attacker combines two separate permissions or capabilities, neither of which is dangerous on its own, to perform a harmful action that neither permission should…
Definição
What is CWE-268?
Privilege chaining occurs when an attacker combines two separate permissions or capabilities, neither of which is dangerous on its own, to perform a harmful action that neither permission should individually allow.
This vulnerability is like a security bypass puzzle. A system might correctly enforce that a user cannot directly delete a file or directly write to a system directory. However, if the user can first move a file into that protected directory (using one permission) and then delete any file they own there (using a second permission), they have effectively achieved an unauthorized deletion. The core failure is that the system's security checks evaluate each privilege in isolation, missing the dangerous sequence they enable when used together.
To prevent this, developers must design authorization checks that consider context and history, not just the immediate action. This involves analyzing how privileges can interact over a session or transaction. Implementing mandatory access control (MAC), logging and monitoring for unusual privilege sequences, and adhering to the principle of least privilege are key defenses. Always ask: 'Could these two allowed actions be combined to achieve something we explicitly forbid?'
Impacto no mundo real
Real-world CVEs caused by CWE-268
-
Chaining of user rights.
-
Gain certain rights via privilege chaining in alternate channel.
-
Application is allowed to assign extra permissions to itself.
-
"operator" user can overwrite usernames and passwords to gain admin privileges.
Como os atacantes a exploram
Trajeto do atacante passo a passo
- 1
Identificar um caminho de código que trata input não confiável sem validação.
- 2
Criar um payload que explora o comportamento inseguro — injeção, traversal, overflow ou abuso de lógica.
- 3
Entregar o payload através de um pedido normal e observar a reação da aplicação.
- 4
Iterar até que a resposta exponha dados, execute código do atacante ou escale privilégios.
Exemplo de código vulnerável
Vulnerable Java
This code allows someone with the role of "ADMIN" or "OPERATOR" to reset a user's password. The role of "OPERATOR" is intended to have less privileges than an "ADMIN", but still be able to help users with small issues such as forgotten passwords.
public enum Roles {
ADMIN,OPERATOR,USER,GUEST
}
public void resetPassword(User requestingUser, User user, String password ){
if(isAuthenticated(requestingUser)){
switch(requestingUser.role){
case GUEST:
System.out.println("You are not authorized to perform this command");
break;
case USER:
System.out.println("You are not authorized to perform this command");
break;
default:
setPassword(user,password);
break;
}
}
else{
System.out.println("You must be logged in to perform this command");
}
} Exemplo de código seguro
Secure pseudo
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
const safe = validateAndEscape(input);
return executeWithGuards(safe);
} What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Lista de verificação de prevenção
How to prevent CWE-268
- Architecture and Design Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.
- Architecture and Design / Operation Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
- Architecture and Design / Operation Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
Sinais de deteção
How to detect CWE-268
Executar testes dinâmicos de segurança de aplicações (DAST) contra o endpoint em execução.
Monitorizar os registos em tempo de execução para traços de exceção invulgares, input malformado ou tentativas de contornar a autorização.
Revisão de código: sinalizar qualquer novo código que trate input desta superfície sem usar os ajudantes validados do framework.
O Plexicus deteta automaticamente o CWE-268 e abre um PR de correção em menos de 60 segundos.
O Codex Remedium analisa cada commit, identifica esta fraqueza exata e entrega um pull request pronto para revisão com o patch. Sem tickets. Sem transferências.
Perguntas frequentes O que é o CWE-268?
Qual a gravidade do CWE-268?
Que linguagens ou plataformas são afetadas pelo CWE-268?
Como posso prevenir o CWE-268?
Como é que o Plexicus deteta e corrige o CWE-268?
Onde posso saber mais sobre o CWE-268?
Frequently asked questions
O que é o CWE-268?
Privilege chaining occurs when an attacker combines two separate permissions or capabilities, neither of which is dangerous on its own, to perform a harmful action that neither permission should individually allow.
Qual a gravidade do CWE-268?
A MITRE classifica a probabilidade de exploração como Alta — esta fraqueza é ativamente explorada em campo e deve ser priorizada para remediação.
Que linguagens ou plataformas são afetadas pelo CWE-268?
A MITRE não especificou as plataformas afetadas por este CWE — pode aplicar-se à maioria das stacks de aplicações.
Como posso prevenir o CWE-268?
Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource. Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Como é que o Plexicus deteta e corrige o CWE-268?
O motor SAST do Plexicus correlaciona a assinatura de fluxo de dados do CWE-268 em cada commit. Quando é encontrada uma correspondência, o nosso agente Codex Remedium abre um PR de correção com o código corrigido, testes e um resumo de uma linha para o revisor.
Onde posso saber mais sobre o CWE-268?
A MITRE publica a definição canónica em https://cwe.mitre.org/data/definitions/268.html. Pode também consultar a documentação da OWASP e do NIST para orientações adjacentes.
Fraquezas relacionadas
Weaknesses related to CWE-268
CWE-269 Pai
Improper Privilege Management
This vulnerability occurs when an application fails to correctly manage user permissions, allowing someone to perform actions or access…
CWE-250 Irmão
Execution with Unnecessary Privileges
This vulnerability occurs when software runs with higher permissions than it actually needs to perform its tasks. This excessive privilege…
CWE-266 Irmão
Incorrect Privilege Assignment
This vulnerability occurs when a system mistakenly grants a user, process, or entity a specific permission or privilege they should not…
CWE-267 Irmão
Privilege Defined With Unsafe Actions
This vulnerability occurs when a system grants a user, role, or process a specific permission that can be misused to perform dangerous,…
CWE-270 Irmão
Privilege Context Switching Error
This vulnerability occurs when an application fails to properly manage user permissions while moving between different security contexts,…
CWE-271 Irmão
Privilege Dropping / Lowering Errors
This vulnerability occurs when a system or process fails to reduce its elevated permissions before transferring control of a resource to a…
CWE-274 Irmão
Improper Handling of Insufficient Privileges
This vulnerability occurs when an application fails to properly manage situations where it lacks the necessary permissions to execute an…
CWE-648 Irmão
Incorrect Use of Privileged APIs
This vulnerability occurs when software incorrectly uses functions that require special permissions. Attackers can exploit these mistakes…
Pronto quando você estiver
Pare de pagar por desenvolvedor.
Comece a fechar o ciclo.
O Plexicus é o ASPM nativo de IA que verifica, filtra, corrige, pentesta e explica — de forma autónoma. Programadores ilimitados, repos ilimitados, ações de IA de utilização justa. Nível gratuito real, €269/mo anual quando estiver pronto.